# Documentation site for Ultimate Security plugin for WordPress. > Maintenance & Tools 6 Comments Management Backup & Restore Security Tools Advanced Settings Database Cleanup Self Defense Test Mode 1 Test Mode Error Notifications 1 Error Notifications Monitor & Diagnostics --- ## Pages - [Home](https://docs.wpultimatesecurity.com/) --- ## Posts --- ## Docs - [History](https://docs.wpultimatesecurity.com/docs/alerts-notifications/history/): This page shows a record of all security alerts that have been sent from your WordPress site. It’s like a... - [Alerts & Notifications](https://docs.wpultimatesecurity.com/docs/alerts-notifications/alerts-notifications/): This section helps you manage how you receive security alerts from your WordPress site. Dashboard Navigation Tabs At the top,... - [Security Incidents](https://docs.wpultimatesecurity.com/docs/activity-logs-monitoring/security-incidents/): Security Incidents shows you only the important security-related events on your WordPress site. This tab filters out normal site activity... - [Activity Logs Dashboard](https://docs.wpultimatesecurity.com/docs/activity-logs-monitoring/activity-logs-dashboard/): The Activity Logs Dashboard gives you a quick overview of what’s been happening on your WordPress site. It shows you... - [Activity All Logs](https://docs.wpultimatesecurity.com/docs/activity-logs-monitoring/activity-all-logs/): Activity logs help you monitor and analyze security events and user activity on your WordPress site. This feature records everything... - [Scan History](https://docs.wpultimatesecurity.com/docs/scan-history/scan-history/): The Scan History tab shows you all the security scans you’ve run on your WordPress site. It helps you track... - [Vulnerability Scanner Dashboard](https://docs.wpultimatesecurity.com/docs/dashboard-vulnerability-scanner/vulnerability-scanner-dashboard/): The Vulnerability Scanner helps you check your WordPress site for security issues in your plugins, themes, and WordPress core. It... - [Vulnerability Scanner Settings](https://docs.wpultimatesecurity.com/docs/configure-api-key/vulnerability-scanner-settings/): This window helps you configure the scanner. What You Can Configure: API Configuration: Schedule: Notifications: Buttons: - [Advanced Settings](https://docs.wpultimatesecurity.com/docs/maintenance-tools/advanced-settings/): Data Management This section decides what happens if you ever decide to stop using the plugin and delete it. Emergency... - [Site Health](https://docs.wpultimatesecurity.com/docs/monitor-diagnostics/site-health/): The Site Health page is like a doctor’s report for your website. It shows you exactly how your site is... - [Error Notifications](https://docs.wpultimatesecurity.com/docs/error-notifications/error-notifications/): This page helps you set up how you want to get alerts when something goes wrong with your website. What... - [Test Mode](https://docs.wpultimatesecurity.com/docs/monitor-diagnostics/test-mode/): This page helps you test your security settings without actually blocking real users. Enable Test Mode: User Roles: Safety Options:... - [Comments Management](https://docs.wpultimatesecurity.com/docs/maintenance-tools/comments-management/): Global Comments This section lets you decide where people are allowed to leave comments. Select Post Types If you chose... - [Backup & Restore](https://docs.wpultimatesecurity.com/docs/maintenance-tools/backup-restore/): Backup Settings This section lets you save your current settings into a file that lives on your computer. Restore Settings... - [Security Tools](https://docs.wpultimatesecurity.com/docs/maintenance-tools/security-tools/): REST API Methods The REST API uses four main types of messages to manage your website’s data: What the Status... - [Database Cleanup](https://docs.wpultimatesecurity.com/docs/maintenance-tools/database-cleanup/): Database Stats At the top, you’ll see four important numbers: Overview Tab This is the main dashboard that shows you:... - [Self Defense](https://docs.wpultimatesecurity.com/docs/maintenance-tools/self-defense/): This feature keeps your security plugin safe from being turned off by bad people. Enable Self Defense: File Integrity Monitoring... - [WordPress Security Keys](https://docs.wpultimatesecurity.com/docs/security-keys/wordpress-security-keys/): WordPress security keys (also called “salts”) are special codes that help protect your website from hackers Current Salt Keys The... - [Security Hardening](https://docs.wpultimatesecurity.com/docs/security-hardening/security-hardening/): This section helps make your WordPress website more secure by adjusting important security settings. Think of it like adding extra... - [Update History](https://docs.wpultimatesecurity.com/docs/update-manager/update-history/): This dashboard shows you a record of all updates that have been made to your WordPress website. It helps you... - [Theme Updates](https://docs.wpultimatesecurity.com/docs/site-hardening/theme-updates/): Themes are the visual designs and layouts of your website – they control how your site looks and feels to... - [Plugin Updates](https://docs.wpultimatesecurity.com/docs/site-hardening/plugin-updates/): This page helps you control how your website updates itself. Updates are important because they: Plugin Updates Section This specific... - [API & Data Privacy](https://docs.wpultimatesecurity.com/docs/api-data-privacy/api-data-privacy/): API (Application Programming Interface) privacy helps protect your website by hiding information that WordPress normally shows to the public. Think... - [Display Settings](https://docs.wpultimatesecurity.com/docs/content-protection/display-settings/): You can customize the message when visitors try to do something that is blocked. Notification Type You can select from... - [Overview](https://docs.wpultimatesecurity.com/docs/login-authentication/overview/): It is an extra layer of multi-factor authentication with email OTP, authenticator apps, SMS authentication, and backup recovery codes. Navigate... - [Email OTP](https://docs.wpultimatesecurity.com/docs/login-authentication/email-otp/): This page lets you set up email verification. When turned on, users will get a one-time code in their email... - [Authentication Apps](https://docs.wpultimatesecurity.com/docs/login-authentication/authentication-apps/): Use this page to set up your Authenticator app. These apps provide the strongest security because they work without internet... - [Custom Login URL](https://docs.wpultimatesecurity.com/docs/login-authentication/custom-login-url/): This page helps you protect your website by hiding your login page. By changing the address of your login page,... - [Password Requirements](https://docs.wpultimatesecurity.com/docs/login-authentication/password-requirements/): This setting allows you to set rules for passwords on your website. By enforcing these rules, you make sure that... - [Settings](https://docs.wpultimatesecurity.com/docs/login-authentication/settings/): This page helps secure accounts by limiting current logins, terminating idle sessions, and tracking all login attempts About Active Logins... - [Google reCAPTCHA](https://docs.wpultimatesecurity.com/docs/bot-protection/google-recaptcha/): This section helps you block bots from spamming your website’s form. It uses a tool from Google to check if... - [Cloudflare Turnstile](https://docs.wpultimatesecurity.com/docs/bot-protection/cloudflare-turnstile/): This guide will help you set up and use the Cloudflare Turnstile plugin. This keeps your website safe without making... - [Login Attempts](https://docs.wpultimatesecurity.com/docs/brute-force-protection/login-attempts/): This setting helps you stop automated robots from guessing your password. Login Limit Login Attempts Lockout Duration: Increase Login attempts:... - [Lockout Notifications](https://docs.wpultimatesecurity.com/docs/brute-force-protection/lockout-notifications/): Lockout Notifications The switch controls the configuration setting Notification Email Notify On User Lockout Sends an email when someone is... - [Content Protection Overview](https://docs.wpultimatesecurity.com/docs/content-protection/content-protection-overview/): Content Protection Overview page helps you protect your website’s content from being copied by visitors. Enable Content Protection This main... - [Text Protection](https://docs.wpultimatesecurity.com/docs/content-protection/text-protection/): This feature helps protect the text content on your website from being copied by visitors. Disable Right-Click This stops visitors... - [Image Protection](https://docs.wpultimatesecurity.com/docs/content-protection/image-protection/): This helps you stop people from stealing the images on your website. It makes it much harder for visitors to... - [Keyboard Shortcut](https://docs.wpultimatesecurity.com/docs/content-protection/keyboard-shortcut/): Keyboard Shortcut Protection blocks keyboard shortcuts to access developer tools or save your website content. Disable Developer Tools This blocks... - [Monitoring & Diagnostics](https://docs.wpultimatesecurity.com/docs/how-it-works/monitoring-diagnostics/): Site Health The Site Health page is like a doctor’s report for your website. It shows you exactly how your... - [Maintenance & Tools](https://docs.wpultimatesecurity.com/docs/how-it-works/maintenance-tools/): Comments Management Global Comments This section lets you decide where people are allowed to leave comments. 2. Select Post Types... - [Site Hardening](https://docs.wpultimatesecurity.com/docs/how-it-works/site-hardening/): Content Protection Content Protection Overview page helps you protect your website’s content from being copied by visitors. Enable Content Protection... - [Login & Authentication](https://docs.wpultimatesecurity.com/docs/how-it-works/login-authentication/): Two-Factor Authentication It is an extra layer of multi-factor authentication with email OTP, authenticator apps, SMS authentication, and backup recovery... - [Threat Protection](https://docs.wpultimatesecurity.com/docs/how-it-works/threat-protection/): Bot Protection reCAPTCHA Settings This section helps you block bots from spamming your website’s form. It uses a tool from... - [Installation](https://docs.wpultimatesecurity.com/docs/getting-started/installation/): You can install the plugin in two ways. The easiest way is through the WordPress Dashboard. Method 1: Install via... - [Dashboard](https://docs.wpultimatesecurity.com/docs/dashboard/dashboard/): Once the plugin is activated, you will see a new menu item in your WP dashboard called Ultimate Security. Click... - [System Requirements](https://docs.wpultimatesecurity.com/docs/getting-started/system-requirements/): Before installing WP Ultimate Security, please ensure your server meets the following minimum requirements: --- # # Detailed Content ## Pages - Published: 2026-01-26 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/ Maintenance & Tools 6 Comments Management Backup & Restore Security Tools Advanced Settings Database Cleanup Self Defense Test Mode 1 Test Mode Error Notifications 1 Error Notifications Monitor & Diagnostics 3 Site Health Error Notifications Test Mode Security Hardening 1 Security Hardening Update Manager 3 Plugin Updates Theme Updates Update History API & Data Privacy 1 API & Data Privacy Security Keys 1 WordPress Security Keys Content Protection 5 Content Protection Overview Text Protection Image Protection Keyboard Shortcut Display Settings Site Hardening 9 Content Protection Overview Text Protection Image Protection Keyboard Shortcut Display Settings API & Data Privacy Plugin Updates Theme Updates Security Hardening Brute Force Protection 2 Login Attempts Lockout Notifications Bot Protection 2 Google reCAPTCHA Cloudflare Turnstile Threat Protection 4 Google reCAPTCHA Cloudflare Turnstile Login Attempts Lockout Notifications Session Management 1 Settings Login Hardening 2 Custom Login URL Password Requirements Two-Factor Authentication 3 Overview Email OTP Authentication Apps Login & Authentication 6 Overview Email OTP Authentication Apps Custom Login URL Password Requirements Settings History 1 History Settings 1 Alerts & Notifications Alerts & Notifications 2 Alerts & Notifications History Security Incidents 1 Security Incidents All Logs 1 Activity All Logs Dashboard 1 Activity Logs Dashboard Activity Logs & Monitoring 3 Activity All Logs Activity Logs Dashboard Security Incidents Configure API Key 1 Vulnerability Scanner Settings Configure API Key 1 Vulnerability Scanner Settings Settings 1 Vulnerability Scanner Settings Scan History 1 Scan History Dashboard 1 Vulnerability Scanner Dashboard Vulnerability Scanner 2 Vulnerability Scanner Dashboard Scan History Dashboard 1 Dashboard How It Works? 5 Access Restrictions Login & Authentication Threat Protection Site Hardening Maintenance & Tools Monitoring & Diagnostics Getting Started 2 Ultimate Security Beginner User Guide System Requirements Installation --- --- ## Posts --- ## Docs - Published: 2026-02-17 - Modified: 2026-02-17 - URL: https://docs.wpultimatesecurity.com/docs/alerts-notifications/history/ - Docs Categories: Alerts & Notifications, History This page shows a record of all security alerts that have been sent from your WordPress site. It's like a logbook of what's been happening with your site's security. Filtering Your Alerts You can narrow down what you see using these filters: Status: Choose to see all alerts or only specific ones (like pending, sent, or failed) Priority: Filter by importance level (low, medium, high) Event Type: Focus on specific types of security events Date Range: Look at alerts from a specific time period Search and Export Search alerts: Type keywords to find specific alerts quickly Reset Filters: Clear all your filter selections Refresh: Update the page to see the latest information Export: Save your alert data as CSV or JSON files for records or analysis Alert List The table shows detailed information about each alert: Created: When the security event happened Type: What kind of security event occurred Priority: How important the alert is (HIGH priority events are marked in red) Title: A brief description of the event (click to see more details) Status: Whether the alert was successfully sent Attempts: How many times the system tried to send the alert Sent At: When the alert was actually delivered Actions: Additional options for each alert This history helps you track your site's security over time and understand what types of events are occurring most frequently. --- - Published: 2026-02-17 - Modified: 2026-02-17 - URL: https://docs.wpultimatesecurity.com/docs/alerts-notifications/alerts-notifications/ - Docs Categories: Alerts & Notifications, Settings This section helps you manage how you receive security alerts from your WordPress site. Dashboard Navigation Tabs At the top, you'll see two tabs: Settings: Where you configure your alert preferences History: View past alert activity and logs Alert Queue Statistics This section shows you the current status of your security alerts: 1. Pending: Alerts waiting to be sent 2. Sent: Alerts that have been successfully delivered 3. Failed: Alerts that couldn't be sent 4. Total: All alerts processed in the system Email Notifications This feature sends security alerts directly to your email when issues are detected: Toggle the switch to enable/disable email alerts Enter your email address Use the Send Test button to check if your email notifications are working Webhook Integrations Connect your security alerts to other services: Send alerts to platforms like Slack, Discord, Microsoft Teams, or custom endpoints Currently shows "0 configured" - meaning no webhooks are set up yet Click Add Webhook to connect external services Notification Filters Settings This page helps you choose which types of security incidents should send you alerts. You can customize exactly what notifications you want to receive. Quick Actions Enable All: Turn on notifications for every security event Disable All: Turn off all notifications at once Notification Types You Can Configure Each toggle switch controls whether you receive alerts for specific events: Login Attacks: Get notified about repeated failed login attempts Blocked IPs: Alerts when IP addresses are blocked by security rules Brute Force Attacks: Notifications for detected brute force attack patterns File Changes: Alerts when core files are modified Plugin/Theme Updates: Get notified about available security updates Plugin Deactivation: Know when your security plugin is turned off Privilege Changes: Alerts for modified user roles or permissions New Admin User: Notifications when new administrator accounts are created After making your selections, click the Save Settings button to apply your preferences. This ensures your notification configuration takes effect immediately. This dashboard helps you stay informed about your site's security by delivering important alerts through your preferred methods. --- - Published: 2026-02-17 - Modified: 2026-02-17 - URL: https://docs.wpultimatesecurity.com/docs/activity-logs-monitoring/security-incidents/ - Docs Categories: Activity Logs & Monitoring, Security Incidents Security Incidents shows you only the important security-related events on your WordPress site. This tab filters out normal site activity and shows you potential security issues that need your attention. Security Incidents Tab Click on this tab to view only security-related events, instead of all site activities. Refresh Button Click this purple button to get the latest security incident information. Incident Statistics These boxes show you at a glance: Total Active Incidents: How many security issues are currently active Critical: Most serious security problems High: Important security issues Medium: Less serious but still important issues Filters Section Use these to narrow down what incidents you see: Status: Choose to see all incidents or specific ones Severity: Filter by how serious the incidents are Bulk action: Select multiple incidents to take action on them at once Apply: Click to apply your filter settings Search Bar Use this to find specific security incidents by searching for details. What You'll See When your site has no security issues, you'll see a message saying, "No incidents detected. Your site is secure! " This is good news! Why Use Security Incidents? Focus only on important security matters Quickly see if your site has any vulnerabilities Monitor for suspicious activity Take action on multiple incidents at once The Security Incidents tab helps you stay on top of your site's security without being overwhelmed by normal site activity. --- - Published: 2026-02-17 - Modified: 2026-02-17 - URL: https://docs.wpultimatesecurity.com/docs/activity-logs-monitoring/activity-logs-dashboard/ - Docs Categories: Activity Logs & Monitoring, Dashboard The Activity Logs Dashboard gives you a quick overview of what's been happening on your WordPress site. It shows you important statistics and recent events to help you monitor your site's activity. Navigation Tabs Dashboard: Current view showing statistics and summaries All Logs: View all recorded activities Security Incidents: See only important security-related events Time Period Filter Choose how far back you want to see activity: You can change this to see different time ranges Statistics Overview These boxes give you quick insights: Total Events: How many activities have occurred (63 in this example) High Severity: Number of important security events Unique Users: How many different people have been active Failed Logins: Any unsuccessful login attempts Severity Distribution This shows how serious the events were: High: Most critical events Medium: Moderately important events Low: Less critical events Top Event Types See what activities happen most often: post_created: New posts or pages added post_delete: Posts or pages removed user_login: Users logging in taxonomy_add: Categories or tags created login_success: Successful logins Recent Critical Events This section shows the most important recent activities: Plugin deactivations Critical setting changes When they happened Activity Trend This is a visual graph of security events over time, which gives you an idea of patterns and unusual activity spikes Why Use the Dashboard? Get a quick summary of your site's activity Spot unusual patterns or security issues See what changes have been made recently Monitor user activity and security events The dashboard helps you stay aware of your site's health and catch potential problems early. --- - Published: 2026-02-17 - Modified: 2026-02-17 - URL: https://docs.wpultimatesecurity.com/docs/activity-logs-monitoring/activity-all-logs/ - Docs Categories: Activity Logs & Monitoring, All Logs Activity logs help you monitor and analyze security events and user activity on your WordPress site. This feature records everything that happens on your site, so you can see who did what and when. All Logs Tab This is the main view showing all recorded activities on your site. Refresh Button Click this purple button to get the latest activity log information. Time Filters These help you narrow down what logs you see: All: Shows all logs Today: Shows only today's activities Last 7 days: Shows activities from the past week This Month: Shows activities from the current month Severity Filter Choose to see logs with specific importance levels. Sources Filter Filter logs by where they came from. Export CSV Button Click this purple button to download your activity logs as a CSV file for record-keeping or analysis. Search Bar Use this to find specific events by searching for: Event names Messages IP addresses User information Log Table The table shows detailed information about each activity: ID: Unique identifier for the log entry Source: Where the activity came from Severity: How important the event is Date: When it happened User: Who performed the action IP: The user's IP address Browser/Platform/Device: Technical details about the user's setup Object: What was affected Event: What happened Why Use Activity Logs? Keep track of who's accessing your site Monitor for suspicious activity See when changes are made to your site Maintain a record of site events for security purposes The activity logs help you stay aware of everything happening on your WordPress site and catch potential security issues early. --- - Published: 2026-02-17 - Modified: 2026-02-17 - URL: https://docs.wpultimatesecurity.com/docs/scan-history/scan-history/ - Docs Categories: Scan History, Vulnerability Scanner The Scan History tab shows you all the security scans you've run on your WordPress site. It helps you track when you scanned your site and what the results were. Scan History Tab Click on this tab to view your past security scans instead of the dashboard overview. Scan Now and Settings Scan Now button instantly starts scanning all files, and Setting button lets you configure API. Refresh Button Click this purple button to get the latest scan history information. Previous Scans Section This area shows your scan history with important details: Scan Date: When the scan was performed Vulnerabilities: How many security issues were found Items Scanned: What parts of your site were checked (plugins, themes, etc. ) API: The scanning technology used Scan Entry You'll see entries like: Date and time of the scan Number of vulnerabilities found (0 means no issues) What was scanned (plugins, themes, etc. ) The scanning method used Why Use Scan History Keep track of when you last checked your site's security See if vulnerabilities were found in previous scans Monitor your site's security over time Compare scan results to ensure your site stays secure The scan history helps you maintain a record of your site's security checks and ensures you're regularly protecting your WordPress installation. --- - Published: 2026-02-17 - Modified: 2026-02-17 - URL: https://docs.wpultimatesecurity.com/docs/dashboard-vulnerability-scanner/vulnerability-scanner-dashboard/ - Docs Categories: Dashboard, Vulnerability Scanner The Vulnerability Scanner helps you check your WordPress site for security issues in your plugins, themes, and WordPress core. It scans for known vulnerabilities that could make your site unsafe. Key Features Top Action Buttons Scan Now: Click this purple button to start a security scan of your entire WordPress site Settings: Access advanced scanner settings and preferences Dashboard Tab This is your main view showing an overview of your site's security status. It displays: Vulnerabilities Found Critical/High issues Available updates Abandoned items Search Bar Use this to search for specific plugins or themes in your list. Just type the name you're looking for. Filter Dropdown This helps you narrow down what you see: "All Items" shows everything You can filter to see Vulnerable, Outdated, or Abandoned items Content Tabs Plugins: View and manage all your installed plugins Themes: See your installed themes and their status WordPress Core: Check your WordPress installation status How to Use Click "Scan Now" to check your site's security Use the search bar to find specific items quickly Switch between tabs to manage different parts of your site Check the dashboard for a quick security overview The scanner helps keep your WordPress site secure by identifying potential security issues before they can be exploited. --- - Published: 2026-02-17 - Modified: 2026-02-18 - URL: https://docs.wpultimatesecurity.com/docs/configure-api-key/vulnerability-scanner-settings/ - Docs Categories: Configure API Key, Configure API Key, Settings This window helps you configure the scanner. What You Can Configure: API Configuration: WPScan API Key: Get WPScan API key, and paste it into the field Patchstack API Key: Get Patchstack API key, and paste it into the field Schedule: Scan Frequency: Choose how often to scan (currently set to "Daily") Abandoned Threshold: Set how many days to check for abandoned plugins/themes Notifications: Email Notifications: Toggle ON/OFF (currently ON) Notification Email: Enter the email address to receive alerts Severity Levels: Choose which types of issues to notify about (Critical, High, Medium, Low) Buttons: Cancel: Close without saving Continue: Save your settings --- - Published: 2026-02-16 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/maintenance-tools/advanced-settings/ - Docs Categories: Maintenance & Tools Data Management This section decides what happens if you ever decide to stop using the plugin and delete it. Delete plugin data on uninstall: * What it does: If you turn this switch ON, the plugin will erase everything it ever recorded (like settings and security logs) when you delete it from WordPress. Why use it: Use this if you want to make sure no leftover "digital trash" is left behind on your website. Warning: Once this data is deleted, you can never get it back! Emergency Access (The "Spare Key") This is one of the most important parts of the plugin. Sometimes, security settings might accidentally lock you out of your own website. Emergency URL: This is a secret web link made just for you. What it does: If you are locked out, you can paste this secret link into your browser. It will automatically turn off the security plugin so you can get back into your site. How to use it: 1. Save it: Copy this link and save it somewhere safe, like a notebook or a private file on your phone. 2. Test URL: Click this to make sure the link works. 3. Regenerate URL: If you think someone else saw your secret link, click this to create a brand-new one. Reset & Cache (The "Fresh Start") If the plugin is acting strangely or you just want to go back to the beginning, use these buttons. Reset to Defaults: * What it does: This pushes the "Reset" button on every setting in the plugin. It will go back to exactly how it looked when you first installed it. Clear Cache: * What it does: This clears out "temporary memory" that the plugin uses. Why use it: If you changed a setting but don't see the change happening on your site, clicking this can usually fix the problem. Always remember to click the Save Changes button at the bottom left after turning on the "Delete plugin data" switch! --- - Published: 2026-02-16 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/monitor-diagnostics/site-health/ - Docs Categories: Monitor & Diagnostics The Site Health page is like a doctor’s report for your website. It shows you exactly how your site is built and if it is running smoothly. If you ever need to ask a professional for help, all the information they need is right here. The Action Buttons At the top of the page, you have three main tools: Copy site info: This copies all your technical details so you can easily paste them into an email for support. Refresh: This updates the page to show the most recent information. Export: This saves a copy of all this information to your computer. The Information Tabs There are six different "folders" of information you can look through: 1. WordPress This shows your site’s "ID card. " It tells you which version of WordPress you are using (like 6. 9) and if your site is using a "secure lock" (HTTPS). If you see "HTTPS is not enabled," you should fix this to keep your site safe. 2. Environment This shows details about the computer (server) where your website lives. PHP Version: This is the main "engine" version your site runs on. Memory Limit: This shows how much "brain power" your site is allowed to use. WP_DEBUG: If this says "Enabled" with a red warning, it might show technical errors to your visitors. It is usually safer to have this "Disabled". 3. Database This is the "filing cabinet" where all your posts, pages, and settings are stored. It lists the technical names and versions of your database so experts can see how it is organized. 4. Filesystem This section checks the "drawers" on your server to make sure WordPress is allowed to save and move files. It shows where your plugins, themes, and images are kept on the computer. 5. Themes This lists the different designs (Themes) you have installed. Active: The design you are currently using for your site. Inactive: Other designs you have downloaded but are not using right now. 6. Plugins This shows the extra "tools" (Plugins) you have added to your site, like Ultimate Security. It tells you if they are Active and which version you are using. --- - Published: 2026-02-16 - Modified: 2026-02-18 - URL: https://docs.wpultimatesecurity.com/docs/error-notifications/error-notifications/ - Docs Categories: Error Notifications, Monitor & Diagnostics This page helps you set up how you want to get alerts when something goes wrong with your website. What You Can Do Here: Notification Email: You can choose which email address gets error messages Right now it's set to: youremail@gmail. com Send Test Email: Click the "Send Test" button to check if your email notifications work Remember to check your spam folder if you don't see the test email Slack Channel: You can send error alerts to a Slack channel The channel name is: #security-alerts The channel must already exist in your Slack workspace Slack Webhook URL: This is a special link that connects your website to Slack It should look like https://hooks. slack. com/services/xxxxxx. Send Test Message: Click "Send Slack" to test if your Slack notifications work Error Levels To Notify: These are different types of errors your site might have You can turn each type ON or OFF using the toggle switches Right now, "E_ERROR" is turned ON (green switch) Other types like warnings, notices, and user errors can be turned on or off --- - Published: 2026-02-16 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/monitor-diagnostics/test-mode/ - Docs Categories: Monitor & Diagnostics, Test Mode This page helps you test your security settings without actually blocking real users. Enable Test Mode: When ON, it simulates security features without really blocking anyone User Roles: You can choose which user types to test with: Administrator (always active) Editor Author Contributor Subscriber Each has its own toggle switch Safety Options: Always exclude administrators (recommended) - keeps you safe from being blocked Log simulated blocks to activity logs - keeps records of test runs Show test mode notice in admin dashboard - reminds you it's in test mode Simulation Statistics: Shows how many test blocks happened: Today: 0 This Week: 0 This Month: 0 Total: 0 You can "Refresh Stats" or "Clear All Logs" Recent Simulations: Shows your test results Right now it says: "No simulation logs yet. Enable test mode and wait for security events to be simulated. " --- - Published: 2026-02-16 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/maintenance-tools/comments-management/ - Docs Categories: Maintenance & Tools Global Comments This section lets you decide where people are allowed to leave comments. What it does: You can turn off comments for your whole website or just for specific types of pages. How to use it: Use the dropdown menu to choose if you want to disable comments everywhere or only on certain parts of your site. Select Post Types If you chose to turn off comments on "certain post types," this is where you pick them. What it does: You can flip the switch for Posts, Pages, Media (like images), or Products. Why use it: Sometimes you want people to comment on your blog posts, but not on your "Contact Us" page or product images. Comment Settings (The Spam Blockers) Spammers love to leave links to other websites. These settings stop them. Remove "url" in the comment form: This hides the box where people normally type their website address. If they can't put their link, they usually won't leave a spam comment. Remove external links in the comments: If a spammer does leave a link, this tool will strip it out. Replace external links from author bio: This stops people from using their profile name to advertise other websites. Cleaning Up Old Comments The bottom sections are for deleting comments that are already there. Remove All Comments: Use this to wipe the slate clean and delete every single comment on your site. Remove Spam Comments: This deletes comments that WordPress has already flagged as "Spam. " Remove Unapproved Comments: This clears out comments waiting for you to say "Yes" or "No" to them. Remove Trashed Comments: This empties the "Trash" bin for your comments, like taking the garbage out to the curb. Always click the purple Save Changes button at the very bottom left after you make a choice. If you don't, the plugin won't remember what you picked! --- - Published: 2026-02-16 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/maintenance-tools/backup-restore/ - Docs Categories: Maintenance & Tools Backup Settings This section lets you save your current settings into a file that lives on your computer. What it does: It turns all your switches and buttons into a special file (called a JSON file). Select sections to export: You can choose exactly what to save. You can check boxes for things like Login Settings, Security Settings, or Access Restrictions. Download Backup: When you click this purple button, the file downloads to your computer. Copy: This button lets you copy the settings as text if you just want to paste them somewhere else. Restore Settings If you move to a new website or accidentally mess up your settings, use this area to fix it. What it does: It takes a file you saved earlier and puts all those settings back onto your site. How to use it: You can Drag & drop your saved file into the gray box, or click Select JSON File to find it on your computer. Import Settings: Once the file is uploaded, click this to turn the settings on. --- - Published: 2026-02-16 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/maintenance-tools/security-tools/ - Docs Categories: Maintenance & Tools REST API Methods The REST API uses four main types of messages to manage your website's data: GET (The "Reader"): This is used when your site wants to read or look at information. It’s like opening a book to see what is written inside. POST (The "Creator"): This is used to add or create something new. It’s like writing a brand-new page and adding it to your book. PUT (The "Editor"): This is used to update or fix something that is already there. It’s like taking an eraser to a mistake and writing the correct information over it. DELETE (The "Eraser"): This is used to remove information. It’s like ripping a page out of the book and throwing it away. What the Status Colors Mean Active (Green): The "door" is open, and your website can use this method to talk to other apps. Inactive (Red): The "door" is locked. This might be for safety, but sometimes it can stop certain features from working. Server Resources This part shows you how hard your website's "brain" is working. Memory Limit: This is the total amount of "thinking space" your website has (for example, 256M). Current Usage: This shows how much of that space you are using right now. If the green bar gets too full, your site might slow down. Max Execution Time: This is the amount of time (in seconds) your site is allowed to work on a single task before it gives up. Copy & Print: You can use these buttons to save this information if you ever need to show it to a tech expert for help. Scheduled Tasks This is the "To-Do List" for your security plugin. Event Name: This is the name of the specific job the plugin needs to do, like checking your files for changes or sending alerts. Schedule: This tells you how often the job happens (for example, "every minute" or "hourly"). Next Run: This shows a countdown of when the job will start again. Actions (Run Button): If you don't want to wait for the timer, you can click the Run button to make the plugin do that task immediately. You don't usually need to change anything here. This page is mostly for checking that everything is working exactly as it should! --- - Published: 2026-02-16 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/maintenance-tools/database-cleanup/ - Docs Categories: Maintenance & Tools Database Stats At the top, you'll see four important numbers: Total Database Size: How big your database is (right now it shows 0 B) Total Records: How many things are stored in your database (right now it shows 0) 30-Day Growth Estimate: How much your database might grow in 30 days Avg. Daily Records: How many new things are added each day Overview Tab This is the main dashboard that shows you: Your total database size How many records (items) are in your database How your database is growing Average daily records being added Turn On Automatic Cleanup You'll see two toggle switches: Enable Automatic Cleanup - This automatically removes old, unnecessary data from your database Enable Archiving Before Deletion - This saves a copy of data before removing it (good for safety) Both are turned ON by default, which is usually best for most websites. Clean Up Your Database In the "Database Cleanup" section, you can: Select which tables (parts of your database) to clean Delete old records that you don't need anymore Right now, it shows "No log tables found" which means your database is already clean! Retention Policies Tab This tab helps you control how long data stays in your database. What It Does: Configure Retention Periods: You can set how many days to keep records in each part of your database Save Retention Policies: Click this blue button to save your settings Why This Matters: Keeping your database clean means your website runs faster You can choose how long to keep different types of data This helps prevent your database from getting too big and slow Archives Tab This tab shows you archived records - data that has been saved before being deleted. What You'll See: Archived Records: Any data that was archived (saved) before cleanup Right now it shows "No archives found" which means your database is clean! Why Archives Are Good: They act like a backup before data gets deleted You can review what was removed if needed Makes cleanup safer because you can always restore archived data History Tab This tab keeps track of all the cleanup activities. What It Shows: Cleanup History: A log of everything the plugin has cleaned up Right now it shows "No cleanup history found" which means the plugin hasn't done any cleanups yet, or it's a new installation Why History Is Helpful: You can see what was cleaned and when Helps you track how your database is being maintained Good for troubleshooting if something goes wrong Important Tips: Always save your changes by clicking "Save Changes" at the bottom If you make a mistake, you can "Discard Changes" to go back Start with the default settings if you're not sure what to do These features help keep your website fast and secure! Important Notes Automatic cleanup helps keep your site running fast Archiving before deletion is like making a backup before cleaning - it's safer You can always turn these features off if you prefer to clean your database manually Click "Save Changes" to keep your settings, or "Discard Changes" to go back to how things were --- - Published: 2026-02-16 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/maintenance-tools/self-defense/ - Docs Categories: Maintenance & Tools This feature keeps your security plugin safe from being turned off by bad people. Enable Self Defense: When this is ON (green), it means: No one can turn off your security plugin If someone tries to turn it off, they'll need to prove who they are first Your website stays protected File Integrity Monitoring This feature watches your security plugin files to make sure no one changes them. Enable file integrity checks: When this is ON (green), it means: The plugin checks if any files have been changed If someone tries to mess with your plugin code, you'll get an alert Your security stays strong and trustworthy Deactivation Alerts This feature tells you when someone tries to turn off your security plugin. Send alerts on deactivation: When this is ON (green), it means: You'll get a message if someone tries to turn off your security Alerts can come to your email or other places you set up You'll know right away if something suspicious happens Important Warning If you ever need to turn off this security plugin (maybe to fix something), remember: You can use the "Emergency Access URL" from the Advanced Settings page Or you'll need to prove it's really you trying to turn it off --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/security-keys/wordpress-security-keys/ - Docs Categories: Security Keys WordPress security keys (also called "salts") are special codes that help protect your website from hackers Current Salt Keys The page shows several important security keys: AUTH_KEY SECURE_AUTH_KEY LOGGED_IN_KEY NONCE_KEY AUTH_SALT SECURE_AUTH_SALT LOGGED_IN_SALT NONCE_SALT Action Buttons Hide Keys - Hides the key values (for extra security) Reveal Values - Shows the actual key codes Copy All - Copies all keys to your clipboard Download Backup - Saves a copy of all keys to your computer Changing WordPress salt keys will force all logged-in users to login again Scheduled Change By enabling this feature, it automatically changes your WordPress security keys on a regular schedule. How to use it: The dropdown menu lets you choose how often: "Daily" is currently selected When turned on, your keys will be updated automatically without you needing to do anything. Set Manual Time What it does: You choose a specific time for automatic key changes. How to use it: Use the day dropdown (currently set to "Saturday") Set the time using the hour and minute selectors (currently 08:00 or 8:00 AM) This means your keys will update automatically at 8:00 AM on Saturdays Reminder for Changing Salt Keys What it does: This toggle turns on/off reminders about manually updating your keys. Why you might want this: Even with automatic updates, it's good to stay aware of your site's security practices. Notification After Change What it does: When turned on, you'll get a notification after your keys have been automatically updated. Why this is useful: You'll know when your site's security has been refreshed. Pre-Change Notification What it does: This gives you a heads-up before scheduled key changes happen. How it works: The toggle turns this feature ON or OFF The dropdown lets you choose when to be notified (currently "24 hours before") This gives you time to prepare or skip the change if needed Reminder Interval What it does: Sets how often you receive reminders about key changes. Current setting: "7 days" - meaning you'll get reminders every week Pause Until... Button What it does: Temporarily stops automatic key changes When to use: During website maintenance or when you're moving your site to a new server How it works: Click this button to pause automatic updates until you're ready to resume Skip Next Button What it does: Skips the next scheduled key change When to use: If you know you'll be doing maintenance soon, or if you don't want the next update to happen Temporary control: Gives you quick control over the next update Salt Change History What it shows: A detailed log of all your security key changes Why it's useful: Lets you see when keys were changed and track your security updates How to access: Click the "View History" button to see all past changes Immediate Change What it does: Changes your security keys right away, without waiting for the schedule When to use: If you're concerned about security and want immediate protection How to use: Click the "Regenerate Salt Keys" button Important note: After clicking, all logged-in users will need to log in again Action Buttons Save Changes: Saves any settings you've adjusted Discard Changes: Ignores any changes you've made (goes back to previous settings) Unsaved changes: This warning appears if you've made changes but haven't saved them yet --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/security-hardening/security-hardening/ - Docs Categories: Security Hardening, Site Hardening This section helps make your WordPress website more secure by adjusting important security settings. Think of it like adding extra locks and security features to protect your website from potential threats. Understanding the Dashboard Color-Coded Recommendations Green tags: These are recommended settings that should be enabled for most websites Orange tags: These settings might affect how your website works - review them carefully before enabling Progress Tracking The number at the top (currently "0 / 35 features enabled") shows how many security features you've turned on out of the total available. Navigation Tabs You can switch between different security categories using the tabs: Access & Identity: User login and account security Files & Directories: Protecting your website files Headers & Fingerprinting: Hiding technical information APIs & Remote Access: Controlling external connections Frontend & Features: Website appearance and functionality Access & Identity Security Options This section helps protect user accounts and login processes: Recommended Settings (Green Tags) Disable "Anyone can register": Prevents random people from creating accounts on your site Prevent login feedback: Stops giving hints about whether a username or email exists Disable user enumeration: Makes it harder for attackers to discover user accounts Block common usernames: Prevents using easy-to-guess usernames like "admin" or "root" Force unique display names: Ensures all users have different names Hide Admin Bar from Frontend: Removes the admin toolbar from the public part of your site Hide Admin Bar from Backend: Removes the admin toolbar from the dashboard File & Directory Security Options This section helps protect your website's files and folders: Recommended Settings (Green Tags) Disable the built-in file editors: Turns off WordPress's built-in code editor, which prevents people from editing your files directly through the dashboard Prevent code execution in Uploads folder: Stops malicious code from running in your uploads folder Disable directory browsing: Prevents visitors from seeing a list of files in your folders Block Sensitive Files: Protects important configuration files from being accessed Header Security Options This section helps hide technical information about your website: Recommended Settings (Green Tags) Hide your WordPress version: Prevents showing which version of WordPress you're using Unset X Powered by header: Removes information about what software powers your site Hide CSS File Version: Hides version numbers in your CSS files Hide JS File Version: Hides version numbers in your JavaScript files Caution Setting (Orange Tag) Strict Content Security Policy on the frontend and login screen: This is an advanced security setting that might affect how your site works API & Remote Access Options This section helps protect your website from unauthorized external connections: Disable XML-RPC: Controls a feature that allows external systems to connect to your site Disable REST API for guests: Restricts access to the API for people who aren't logged in Disable Trackbacks & Pingbacks: Turns off notifications between websites Remove RSD Link: Hides a technical link used by some blogging tools Remove WLW Manifest Link: Hides a link used by Windows Live Writer Remove Shortlink: Hides a special short URL for your posts Frontend & Features Options This section helps optimize and secure how your website appears to visitors: Frontend & Features: Turns off special icons used in WordPress Disable WordPress Emojis: Stops emoji support on your site Remove RSS Feed Links: Hides links to your RSS feeds Add Featured Image to RSS Feed: Includes your post images in RSS feeds Disable Embeds in Widgets: Prevents embedding content in widgets Enable Shortcodes in Widgets: Allows using shortcodes in widgets Disable RSS Feed: Turns off your website's RSS feed completely --- - Published: 2026-02-15 - Modified: 2026-02-16 - URL: https://docs.wpultimatesecurity.com/docs/update-manager/update-history/ - Docs Categories: Update Manager This dashboard shows you a record of all updates that have been made to your WordPress website. It helps you keep track of what's been updated, when, and whether those updates were successful. Update Statistics (Last 30 Days) At the top of the page, you'll see five important numbers: Total Updates: Shows how many updates were attempted in the last 30 days Successful: Shows how many updates completed without problems Failed: Shows how many updates didn't work properly Auto Updates: Shows how many updates happened automatically Manual Updates: Shows how many updates you or someone else did manually Filter Options You can use the dropdown menus to filter what you see: All Types: Filter by plugins, themes, or WordPress core All Statuses: Show only successful, failed, or all updates All Update Types: Show auto or manual updates Action Buttons Refresh: Click this to get the latest update information Export CSV: Download this data as a spreadsheet file Clear Old: Remove old update records (use carefully! ) --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/site-hardening/theme-updates/ - Docs Categories: Site Hardening, Update Manager Themes are the visual designs and layouts of your website - they control how your site looks and feels to visitors. Just like plugins, themes need regular updates to stay secure and work properly. Theme Updates Section This page helps you manage updates for your website's themes (the visual designs). Filter Tabs You can filter themes by their status: All: Shows every theme Active: Shows only themes currently being used Inactive: Shows themes that aren't active Update Available: Shows themes that need updates Search and Refresh Search themes: Find specific themes quickly Refresh: Get the latest update information Theme Control Options For each theme, you can control: Disable Updates: Turn OFF to stop this theme from updating automatically Turn ON to allow automatic updates Auto-Updates: Green means updates happen automatically Gray means you need to update manually Translation Updates: Green means translation files update automatically Gray means you need to update translations manually Hide Theme: Hide the theme from your dashboard (advanced option) --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/site-hardening/plugin-updates/ - Docs Categories: Site Hardening, Update Manager This page helps you control how your website updates itself. Updates are important because they: Fix security issues Add new features Keep your site running smoothly Plugin Updates Section This specific section shows updates for the plugins (extra features) installed on your website. Filter Tabs You can filter plugins by their status: All: Shows every plugin Active: Shows only plugins that are currently working Inactive: Shows plugins that are turned off Update Available: Shows plugins that need updates Abandoned: Shows plugins that aren't maintained anymore Search and Refresh Search plugins: Find specific plugins quickly Refresh: Get the latest update information Plugin List Your page shows two security plugins: Ultimate Security (version 1. 0. 17) Ultimate Security Pro (version 1. 0. 4) Plugin Control Options For each plugin, you can control: Disable Updates: Turn OFF to stop this plugin from updating automatically Turn ON to allow automatic updates Auto-Updates: Green means updates happen automatically Gray means you need to update manually Translation Updates: Green means translation files update automatically Gray means you need to update translations manually Hide Plugin: Hide the plugin from your dashboard (advanced option) --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/api-data-privacy/api-data-privacy/ - Docs Categories: API & Data Privacy, Site Hardening API (Application Programming Interface) privacy helps protect your website by hiding information that WordPress normally shows to the public. Think of it like putting curtains on your windows - it keeps prying eyes from seeing what's inside. Enable API Privacy This toggle turns API privacy ON or OFF. When ON: Your website hides sensitive information from outsiders When OFF: Your website shows more information (less secure) User-Agent & URL Behavior This setting controls how your website handles web addresses (URLs) in API requests. Options These are extra privacy protections you can enable: Strip WordPress version information from User-Agent What it does: Hides which version of WordPress you're using Why helpful: Hackers can't target known vulnerabilities in your specific WordPress version Strip external plugins from API calls What it does: Hides information about plugins you've installed Why helpful: Prevents hackers from knowing which plugins might have security issues Strip external themes from API calls What it does: Hides information about your website's theme Why helpful: Stops hackers from targeting theme-specific vulnerabilities Modify data sent to core update API What it does: Changes how update information is sent Why helpful: Adds an extra layer of security during updates Strip wp_blog and wp_install headers What it does: Removes identifying headers from your site Why helpful: Makes it harder for attackers to gather information about your site Strip user login info from JSON API What it does: Hides user login details in API responses Why helpful: Protects your users' login information Debug Settings Disable HTTPS for packet sniffing What it does: Temporarily turns off secure connections (only for testing) Important: Should only be used by advanced users during testing Warning: Not for regular use - keeps your site less secure Save Changes: Applies all your privacy settings Discard Changes: Ignores any changes you've made --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/content-protection/display-settings/ - Docs Categories: Content Protection, Site Hardening You can customize the message when visitors try to do something that is blocked. Notification Type You can select from the drop-down menu how visitors will be notified when they try to do something blocked. "Alert Popup" shows a browser popup message "Toast" shows a subtle notification at the bottom of the screen "Silent" blocks the action without any message Custom Messages You can set specific messages for: Right-Click Message Copy Blocked Message Keyboard shortcut Message Mobile Protection You can enable two mobile-specific protections: Disable Mobile Long-Press - Prevents the long-press menu that appears on mobile devices Disable Touch Callout (iOS) - Disables the iOS touch callout menu that appears on images and links This section helps you control both what visitors see when protection is triggered and how your protection works on mobile devices. --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/login-authentication/overview/ - Docs Categories: Login & Authentication, Two-Factor Authentication It is an extra layer of multi-factor authentication with email OTP, authenticator apps, SMS authentication, and backup recovery codes. Navigate to Ultimate Security > Login Authentication 2FA Security Status At the top of the page, you will find three key metrics: Security Status  Indicates the 2FA system is active and working correctly Active Methods  See your 2FA options here. Click 'Compare method' to see a table at the bottom that explains the differences between each method. User Adoption Tracks how many users on your site have actually set up 2FA for their account. Quick Actions This section provides shortcuts to manage your two-factor authentication settings: Test 2FA: Verify your current setup by clicking here. You will be taken to a dashboard where you can choose to test either email or an authenticator app. Setup Wizard: Follow a guided flow to configure 2FA. You can select email OTP or an authenticator app. The wizard walks you through Level -> Method -> Roles -> Review steps before leading you to the final configuration page. View User Status: See which users on your site currently have 2FA enabled. Audit Logs: Review a history of authentication events and activities Authentication Methods This section helps you compare the two available security methods to decide which one to use. Email Verification: This method is easy to set up and does not require any extra applications. Authenticator App (Recommended): This option is very secure and easy to use. It requires a smartphone. You can view the security rating, pros, and cons for each method. To start setting up a method, click the Configure button. --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/login-authentication/email-otp/ - Docs Categories: Login & Authentication, Two-Factor Authentication This page lets you set up email verification. When turned on, users will get a one-time code in their email every time they log in. Enable Email Verification There is a toggle switch. Enable for Roles This setting allows you to choose which user groups are required to use email 2FA. You may choose to disable this for regular subscribers to avoid friction during simple logins, unless your site deals with sensitive user data. NB: "Save Changes" or "Discard Changes" button will apply the settings Next Steps for Users Once you have enabled this feature on this page: Go to WordPress Dashboard > Users > Profile page Scroll down and find the Ultimate Security Select the email method. Get OTP from the email address for verification Save Settings to apply Security Considerations Please keep the following in mind: Email delivery is not always instant. Network issues or server load can cause delays, making the verification code expire before the user finds it. If a hacker has already compromised a user's email password, they can access the 2FA code, rendering this layer of security ineffective. Occasionally, verification codes can be flagged as spam and end up in the user's junk folder. --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/login-authentication/authentication-apps/ - Docs Categories: Login & Authentication, Two-Factor Authentication Use this page to set up your Authenticator app. These apps provide the strongest security because they work without internet or phone signal. For extra protection, your login code changes every 30 seconds Authenticator Applications Toggle This switch enables or disables two-factor authentication. Enable for Roles This setting allows you to select which user roles are allowed to use the Authenticator App. Advanced Settings This section allows you to select the algorithm used to generate your OTP. You can choose between two options: TOTP (Time-Based): This is the most common algorithm and is used by virtually all authenticators. It generates a new verification code every 30 seconds based on the current time. HOTP (Event-Based): This option generates codes based on a counter. The code only changes when an event occurs (like a login attempt), rather than based on the time. XML-RPC  XML-RPC is a feature in WordPress that allows external services to communicate with your site remotely. You will see a dropdown menu with two specific options. This setting decides if 2FA is required when these external services try to connect. Option 1: Do not require 2FA over XMLRPC (default). External tools and mobile apps can connect to your site using just a username and password. They will not be asked for a 2FA code. Option 2: Do require 2FA over XMLRPC Any connection attempt via XML-RPC (including mobile apps) must provide a valid two-factor authentication code in addition to the password. Note: Only enable this requirement if you are sure your external apps support Two-Factor Authentication, or if you do not use external apps to manage your site Encrypt Keys in Database This feature locks your security codes inside the database to keep them hidden. It adds an extra layer of protection so that even if a hacker gets into your database, they cannot see or steal your login secrets. Note: Once you enable this feature, it cannot be disabled. However, it is completely safe to keep it enabled. Important Notice:  For the highest level of security, we strongly recommend using the Authentication App method (if available) instead of Email OTP. Authentication apps generate codes offline on your device, are immune to email delays, and are virtually impossible to intercept remotely. Use email OTP primarily as a backup method or for users who are unable to use an authentication app. Next Steps for Users Once you have enabled this feature on this page, your users must: Go to their WordPress Dashboard > Users > Profile page  Scroll down and find the Ultimate Security Select the Authentication App method. Click Setup Scan the provided QR code with their preferred mobile app to finish the connection. Reset 2FA Method settings to restore all settings --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/login-authentication/custom-login-url/ - Docs Categories: Login & Authentication, Login Hardening This page helps you protect your website by hiding your login page. By changing the address of your login page, you can stop automated robots and hackers from finding it. Login Page URL Below, you will see the login page URL field. This displays the default address for your login page. In the type box, you can change the default login URL and create a new private entrance. Old Login Page Redirect This option lets you redirect anyone who tries to access the default WordPress login page URL The default setting is 404. If a bot or hacker tries the old default link, they will receive a "Page Not Found" error. You can also add a custom URL in the box to redirect them to another link Show a Consent Message This option lets you show a custom message in the login form This feature has a toggle switch. Next to it, there is a text box containing a default message. This is the text that users will see when they reach your login page. You can type a custom message or welcome message here. Save Your Changes At the bottom of the section; You must click the button to apply any changes you made to the URL or settings. Important Reminder: Before changing your login URL: Bookmark your new login URL or write it down Save the Plugin Deactivation URL from Settings > More > Extra Test the new URL in an incognito window before logging out If locked out, you can deactivate the plugin via FTP or use the deactivation URL --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/login-authentication/password-requirements/ - Docs Categories: Login & Authentication, Login Hardening This setting allows you to set rules for passwords on your website. By enforcing these rules, you make sure that all users create strong, hard-to-guess passwords. Enable Password Policies You will see the main option labeled "Enable password policies. " This is the switch for this entire page. If you turn this off, none of the password rules below will apply to your users. Quick Presets Below the main switch, you will see a row of tabs labeled "Quick presets. " These are shortcuts to quickly set how strict you want the password rules to be. The available tabs are Basic: Sets simple, easy-to-follow rules. Strong: Sets stricter rules for better security. Enterprise: Sets the highest level of security for professional environments. NB: Clicking one of these tabs automatically fills in the settings below (like length and character types) to match that level of security. Minimum Length Under the presets, you will find the setting for "Minimum length. " This controls how many characters a password must have. You can adjust the number (e. g. , 8, 12, 16) to make passwords shorter or longer. Require Uppercase & Lowercase Next, there is a checkbox labeled "Require uppercase & lowercase. " It means users cannot use all lowercase letters. They must be mixed in capital letters Require Numbers Below that, there is a checkbox labeled "Require numbers. " It means users must include at least one number in their password. Require Special Characters Finally, there is a checkbox labeled "Require special characters. " What this means: Users must include at least one special symbol (like ! , @, #, $, or %) in their password. Exclude Characters Located right below the "Require special characters" option, you will see an input box. While you force users to use special characters, you might want to ban specific ones that cause technical problems or are hard to type. If you type characters into this box (like " '), users will not be allowed to use those specific symbols in their passwords. Password History Next, you will see the setting for "Password history. " This is set to 1 by default This stops users from reusing their old passwords. A setting of "1" means a user cannot reuse their most recent password. They must pick a new one. If you set it to "5," they couldn't reuse their last 5 passwords. Expiration Period Below that, there is an option labeled "Expiration period. " This makes users pick a new password after a certain amount of time. Setting it to "0" (zero) means passwords never expire. Users can keep their password forever. If you want them to change it every 3 months or even in a year, you would enter "3" here and select the month/year near the box. Warning Days Next to the expiration setting, you will see "Warning days. " If you have an expiration period set, this setting warns the user before their password runs out. Setting any number means the user will receive a notice before their password expires, reminding them to update it. Grace Period Below the warning days, there is the "Grace period" setting. This gives users a few extra chances to log in after their password has technically expired. Setting any number means the user can still log in for the certain number of days after the expiration date. During this time, the site will usually force them to pick a new password immediately. After the days are over, they are locked out completely. Email Notification You will see a toggle switch labeled "Email notification. " The system will automatically send emails to users regarding their password. This ensures users get notified about upcoming expirations or required changes without you having to tell them manually. First Login Reset At the bottom of this section, there is a toggle labeled "First login reset. " This is useful for new accounts. When you create a new user and they log in for the very first time, the system will force them to change their password immediately. This ensures that only the actual user knows their password, not the admin who created the account Disable Self-Service Reset You will see a toggle switch labeled "Disable self-service reset. " Normally, users can click a "Lost your password? " link to reset their own password via email. By turning this on, you are disabling that feature. This is useful for high-security sites where you want to personally verify who is asking for a password reset. It prevents hackers from trying to take over accounts by using the reset tool. Custom Reset Message Below the toggle, there is a text box labeled "Custom reset message. The box currently contains the text "Contact site administrator to reset your password. " What this means: Since the standard reset link is now hidden, this is the message users will see instead. You can type any instructions you want here. For example, you could provide an email address telling users exactly how to reach you to get their password fixed. Custom Reset URL Next, there is an input field labeled "Custom reset URL. " What this means: If you have created a specific custom page or form on your website for users to request help, you can paste that link here. If you do not have a custom page, you can leave this as is. If you enter a URL, the system might redirect users to that specific page when they try to reset their password. Save or Discard Changes At the very bottom of the page, you will see buttons to control your settings. --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/login-authentication/settings/ - Docs Categories: Login & Authentication, Session Management This page helps secure accounts by limiting current logins, terminating idle sessions, and tracking all login attempts About Active Logins When you look at the About Active Logins box, you will see a simple explanation of why this feature is good for your site. Enable Active Logins Logic There is a toggle switch to enable this feature Maximum Active Sessions This setting allows you to control how many devices can stay logged in at a time. Set your preferred session numbers in the box to limit login devices. Recommendations At the bottom of the page, you will see a Recommendations section. This gives you helpful advice on how many sessions to allow for different types of users. Note: If you aren't sure what number to pick, following the recommendations is the safest choice Use the buttons at the bottom of the page to save and discard changes. --- - Published: 2026-02-15 - Modified: 2026-02-18 - URL: https://docs.wpultimatesecurity.com/docs/bot-protection/google-recaptcha/ - Docs Categories: Bot Protection, Threat Protection This section helps you block bots from spamming your website's form. It uses a tool from Google to check if a real person is trying to submit the form. Enable reCAPTCHA on Signup There is a switch labeled "Enable reCAPTCHA" to control this feature. reCAPTCHA Version You can choose between two versions of this method: v2: Usually shows the familiar "I'm not a robot" checkbox. v3: Works silently in the background without bothering your users unless it detects suspicious behavior. Enter Your Keys (Site Key & Secret Key) To make these features work, you need two special codes from Google. Site Key: This is a public code that goes into your website's form. Secret Key: This is a private code that stays on your server (in the plugin settings) to verify the check. How to fill this out: You will need to get these keys for free from the Google reCAPTCHA website. Once you have them, copy and paste the "Site Key" into the first box. Copy and paste the "Secret Key" into the second box. reCAPTCHA verification failed Use this box to change the message people see when they fail the security check. This message appears if someone gets the puzzle wrong or if the system thinks they are a robot. A default message is pre-filled in the text box, but you can overwrite it with your own custom text. Can not connect to server Use this box to write a message for when the security check doesn't work. This error might show up if your internet is down or if a security setting is stopping the connection. There is already a default message here, but you can change it. reCAPTCHA Field Title This setting allows you to change the text label that appears above the checkbox on your form. The default text is already set. You can change it too. reCAPTCHA Theme You can select Light or Dark theme based on your preferences reCAPTCHA Size You can select Normal or Compact size based on your preference No-Conflict Mode Enable No-Conflict Mode to prevent conflict from other themes or plugins and ensure your system runs smoothly. WooCommerce Registration If you are running an online store, enable this feature to secure your customer signup process. Enable reCAPTCHA on Signup This adds a security verification to the registration page during checkout, preventing automated bots from creating fraudulent customer accounts. Note: Once you are happy with your settings, scroll to the bottom and click the blue button that says Save Changes. If you made a mistake and want to go back to how things were before you started editing, click Discard Changes --- - Published: 2026-02-15 - Modified: 2026-02-18 - URL: https://docs.wpultimatesecurity.com/docs/bot-protection/cloudflare-turnstile/ - Docs Categories: Bot Protection, Threat Protection This guide will help you set up and use the Cloudflare Turnstile plugin. This keeps your website safe without making it hard for your visitors Default WordPress Forms These settings determine where you want to use Cloudflare Enable toggle activates the following settings: WordPress Login WordPress Register WordPress Reset Password WordPress Comment. Your Keys Get your keys from the Cloudflare Dashboard. You have to log in to have these keys "Site Key" field. Paste your Site Key here. "Secret Key" field. Paste your Secret Key here. General Settings These settings control how the Turnstile check looks and works on your site. Theme: You can choose between "Light" and "Dark" themes. Pick the one that matches your website's look. Language: You can let the plugin automatically detect the language, or you can choose a specific language for the Turnstile check. Disable Submit Button: This option can stop people from submitting a form until they pass the security check. It's usually a good idea to leave this "Enable. " Advanced Settings These are for more experienced users, but you can still use them Widget Size: Choose the size of the security check. Appearance Mode: Choose when the security check appears. "Always" means it will always be there. Defer Scripts: This can make your website load faster. It's usually best to leave this "Enable. " Custom Error Message: If someone fails the security check, you can show them a special message. The default is "Please verify that you are human. " Extra Failure Message: Add another message if the check fails. It's usually best to leave this "Disable. " Whitelist Settings This lets certain people skip the security check. Logged In Users: If you "Enable" this, people who are logged into your website won't see the security check. IP Addresses: You can add IP addresses here. If you add an IP address, anyone using that address won't see the security check. User Agents: You can add "User Agents" here. This is like a browser's name. If you add a User Agent, anyone using that browser won't see the check. Turnstile Logs If you "Enable" this, the plugin will keep a record of when the security check is used. Don't forget to click the "Save Changes" button at the bottom of the page. --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/brute-force-protection/login-attempts/ - Docs Categories: Brute Force Protection, Threat Protection This setting helps you stop automated robots from guessing your password. Login Limit This is the main switch that activates the protection. Login Attempts  This tells the plugin how many times someone is allowed to type the wrong password. If someone guesses wrong 4(the default) times, we immediately block them. Lockout Duration:  This is how long the person is "put in timeout" after guessing wrong too many times. They will have to wait certain time before they can try again. Increase Login attempts: If the same person gets locked out in hours, the plugin decides they are a serious threat and gets tougher. Increase Lockout Duration:  Once they are marked as a serious threat, we Increase Lockout time in hours after first lockout. Retries Reset Duration:  Sometimes a real user just forgets their password. This setting tells the plugin: If they haven't tried to log in for a particular hour, forget about their past mistakes and let them start fresh. Block Users Stop a specific person from logging into your website. In the input box, type the exact username of the person you want to block. Select All: Click this if you want to highlight every user currently on your blocked list at the same time. Remove All: Click this to clear the entire list and unblock everyone. Recovery URL Use this link if you ever get locked out of your account. So please keep it private and store it somewhere safe offline Please follow these steps carefully: Generate Key: Click the Generate Key button. The plugin will create a secret link just for you. Copy: Click the Copy button to save that link to your computer's clipboard. Save It Somewhere Safe: This is the most important step. Paste that link into a document on your computer, write it in a notebook, or save it in a password manager. Important Warning: Do not lose this link. If you get locked out, this is the only way you can get back in to manage your site. Keep it private and do not share it with anyone. NOTE: Once you have these settings how you like them, click Save Changes --- - Published: 2026-02-15 - Modified: 2026-02-17 - URL: https://docs.wpultimatesecurity.com/docs/brute-force-protection/lockout-notifications/ - Docs Categories: Brute Force Protection, Threat Protection Lockout Notifications The switch controls the configuration setting Notification Email Enter the email address where you want to receive these alerts. After you type your email, click "send text" button. It will send a test email to make sure everything is working correctly. Check the Spam folder if it's not found in the inbox Notify On User Lockout Sends an email when someone is blocked for trying the wrong password too many times. Extended Lockout Sends an email when a persistent hacker is blocked for a long time (usually because they kept trying to break in). Recovery URL Used Sends an email if someone uses the secret "Emergency Unlock Key. " Email Rate Limit If your site is under attack, you might get hundreds of alerts in a few minutes. This setting stops that. It limits the emails to 10 (default) per hour. This way, you stay informed, but your inbox doesn't get completely clogged up. Once you have your email address set and your choices made, click Save Changes at the bottom of the page. --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/content-protection/content-protection-overview/ - Docs Categories: Content Protection, Site Hardening Content Protection Overview page helps you protect your website's content from being copied by visitors. Enable Content Protection This main toggle turns the entire content protection feature on or off. It prevents visitors from copying your text, images, and other content. Protection Scope You can choose to protect either your entire website ("Whole Site") or only specific pages ("Specific Pages"). Protect WooCommerce Product This toggle specifically protects your store's product pages. Add categories to protection-specific product categories. Custom URLs Patterns You can add custom URL patterns to protect specific sections of your site that aren't covered by the other options. Exclude User Roles You can choose which user roles should be able to bypass the content protection (administrators are always excluded by default). Save or Discard button to apply changes --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/content-protection/text-protection/ - Docs Categories: Content Protection, Site Hardening This feature helps protect the text content on your website from being copied by visitors. Disable Right-Click This stops visitors from right-clicking on your site. This prevents them from copying your text or saving your images. Disable Text Selection This stops visitors from selecting text on your pages by highlighting it, making it impossible to copy text. Disable Copy (Ctrl+C) This blocks the standard keyboard shortcut (Ctrl+C) on Windows or Command+C on (Mac) that people use to copy selected text. Disable Cut (Ctrl+X) This blocks the standard keyboard shortcut (Ctrl+X) on Windows or Command+X on (Mac) that people use to cut selected text. Save or Discard button to apply changes --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/content-protection/image-protection/ - Docs Categories: Content Protection, Site Hardening This helps you stop people from stealing the images on your website. It makes it much harder for visitors to save your original work to their devices. Disable Image Right-Click This prevents visitors from right-clicking on your images, which stops them from accessing the "Save Image As" option. Disable Image Dragging Stop visitors from dragging your images to their device. This makes it impossible for them to save your pictures just by pulling them off the page. Image Overlay Protection This adds an "invisible shield" over your photos. If a user tries to find another way to download the image, they will end up with a blank photo. Hotlink Protection "Hotlinking" is when another website displays your images by linking directly to your server. This feature blocks other sites from using your images. Save or Discard button to apply changes --- - Published: 2026-02-15 - Modified: 2026-02-15 - URL: https://docs.wpultimatesecurity.com/docs/content-protection/keyboard-shortcut/ - Docs Categories: Content Protection, Site Hardening Keyboard Shortcut Protection blocks keyboard shortcuts to access developer tools or save your website content. Disable Developer Tools This blocks keyboard shortcuts like F12, Ctrl+Shift+I, and Ctrl+Shift+J that people use to open browser developer tools. This prevents visitors from inspecting your website's code. Disable View Source This blocks the Ctrl+U shortcut that allows visitors to view the HTML source code of your pages. Disable Save Page This blocks the Ctrl+S shortcut that lets visitors save your entire webpage. Disable Print This blocks the Ctrl+P shortcut and hides the print content option from printing your website content. Save or Discard button to apply changes --- - Published: 2026-01-28 - Modified: 2026-02-18 - URL: https://docs.wpultimatesecurity.com/docs/how-it-works/monitoring-diagnostics/ - Docs Categories: How It Works? Site Health The Site Health page is like a doctor’s report for your website. It shows you exactly how your site is built and if it is running smoothly. If you ever need to ask a professional for help, all the information they need is right here. The Action Buttons At the top of the page, you have three main tools: Copy site info: This copies all your technical details so you can easily paste them into an email for support. Refresh: This updates the page to show the most recent information. Export: This saves a copy of all this information to your computer. The Information Tabs There are six different "folders" of information you can look through: 1. WordPress This shows your site’s "ID card. " It tells you which version of WordPress you are using (like 6. 9) and if your site is using a "secure lock" (HTTPS). If you see "HTTPS is not enabled," you should fix this to keep your site safe. 2. Environment This shows details about the computer (server) where your website lives. PHP Version: This is the main "engine" version your site runs on. Memory Limit: This shows how much "brain power" your site is allowed to use. WP_DEBUG: If this says "Enabled" with a red warning, it might show technical errors to your visitors. It is usually safer to have this "Disabled". 3. Database This is the "filing cabinet" where all your posts, pages, and settings are stored. It lists the technical names and versions of your database so experts can see how it is organized. 4. Filesystem This section checks the "drawers" on your server to make sure WordPress is allowed to save and move files. It shows where your plugins, themes, and images are kept on the computer. 5. Themes This lists the different designs (Themes) you have installed. Active: The design you are currently using for your site. Inactive: Other designs you have downloaded but are not using right now. 6. Plugins This shows the extra "tools" (Plugins) you have added to your site, like Ultimate Security. It tells you if they are Active and which version you are using. Error Notifications Page This page helps you set up how you want to get alerts when something goes wrong with your website. What You Can Do Here: Notification Email: You can choose which email address gets error messages Right now it's set to: youremail@gmail. com Send Test Email: Click the "Send Test" button to check if your email notifications work Remember to check your spam folder if you don't see the test email Slack Channel: You can send error alerts to a Slack channel The channel name is: #security-alerts The channel must already exist in your Slack workspace Slack Webhook URL: This is a special link that connects your website to Slack It should look like: https://hooks. slack. com/services/xxxxxx Send Test Message: Click "Send Slack" to test if your Slack notifications work Error Levels To Notify: These are different types of errors your site might have You can turn each type ON or OFF using the toggle switches Right now, "E_ERROR" is turned ON (green switch) Other types like warnings, notices, and user errors can be turned on or off Test Mode Page This page helps you test your security settings without actually blocking real users. Enable Test Mode: When ON, it simulates security features without really blocking anyone User Roles: You can choose which user types to test with: Administrator (always active) Editor Author Contributor Subscriber Each has its own toggle switch Safety Options: Always exclude administrators (recommended) - keeps you safe from being blocked Log simulated blocks to activity logs - keeps records of test runs Show test mode notice in admin dashboard - reminds you it's in test mode Simulation Statistics: Shows how many test blocks happened: Today: 0 This Week: 0 This Month: 0 Total: 0 You can "Refresh Stats" or "Clear All Logs" Recent Simulations: Shows your test results Right now it says: "No simulation logs yet. Enable test mode and wait for security events to be simulated. " Vulnerability Scanner This is the Vulnerability Scanner page. It helps you check if your plugins and themes have any security problems. Top Section: Scans your plugins and themes against security databases Two buttons: "Scan Now" and "Settings" Search and Filter: Search bar to look for specific plugins or themes Filter tabs: Plugins, Themes, WordPress Core Settings (Popup) This is a popup window that opens when you click the "Settings" button. It helps you configure the scanner. What You Can Configure: API Configuration: WPScan API Key: Enter your WPScan API key Patchstack API Key: Enter your Patchstack API key Schedule: Scan Frequency: Choose how often to scan (currently set to "Daily") Abandoned Threshold: Set how many days to check for abandoned plugins/themes Notifications: Email Notifications: Toggle ON/OFF (currently ON) Notification Email: Enter the email address to receive alerts Severity Levels: Choose which types of issues to notify about (Critical, High, Medium, Low) Buttons: Cancel: Close without saving Continue: Save your settings --- - Published: 2026-01-28 - Modified: 2026-02-02 - URL: https://docs.wpultimatesecurity.com/docs/how-it-works/maintenance-tools/ - Docs Categories: How It Works? Comments Management Global Comments This section lets you decide where people are allowed to leave comments. What it does: You can turn off comments for your whole website or just for specific types of pages. How to use it: Use the dropdown menu to choose if you want to disable comments everywhere or only on certain parts of your site. 2. Select Post Types If you chose to turn off comments on "certain post types," this is where you pick them. What it does: You can flip the switch for Posts, Pages, Media (like images), or Products. Why use it: Sometimes you want people to comment on your blog posts, but not on your "Contact Us" page or product images. 3. Comment Settings (The Spam Blockers) Spammers love to leave links to other websites. These settings stop them. Remove "url" in the comment form: This hides the box where people normally type their website address. If they can't put their link, they usually won't leave a spam comment. Remove external links in the comments: If a spammer does leave a link, this tool will strip it out. Replace external links from author bio: This stops people from using their profile name to advertise other websites. 4. Cleaning Up Old Comments The bottom sections are for deleting comments that are already there. Remove All Comments: Use this to wipe the slate clean and delete every single comment on your site. Remove Spam Comments: This deletes comments that WordPress has already flagged as "Spam. " Remove Unapproved Comments: This clears out comments waiting for you to say "Yes" or "No" to them. Remove Trashed Comments: This empties the "Trash" bin for your comments, like taking the garbage out to the curb. Always click the purple Save Changes button at the very bottom left after you make a choice. If you don't, the plugin won't remember what you picked! Backup & Restore Backup Settings This section lets you save your current settings into a file that lives on your computer. What it does: It turns all your switches and buttons into a special file (called a JSON file). Select sections to export: You can choose exactly what to save. You can check boxes for things like Login Settings, Security Settings, or Access Restrictions. Download Backup: When you click this purple button, the file downloads to your computer. Copy: This button lets you copy the settings as text if you just want to paste them somewhere else. Restore Settings If you move to a new website or accidentally mess up your settings, use this area to fix it. What it does: It takes a file you saved earlier and puts all those settings back onto your site. How to use it: You can Drag & drop your saved file into the gray box, or click Select JSON File to find it on your computer. Import Settings: Once the file is uploaded, click this to turn the settings on. Security Tools REST API Methods The REST API uses four main types of messages to manage your website's data: GET (The "Reader"): This is used when your site wants to read or look at information. It’s like opening a book to see what is written inside. POST (The "Creator"): This is used to add or create something new. It’s like writing a brand-new page and adding it to your book. PUT (The "Editor"): This is used to update or fix something that is already there. It’s like taking an eraser to a mistake and writing the correct information over it. DELETE (The "Eraser"): This is used to remove information. It’s like ripping a page out of the book and throwing it away. What the Status Colors Mean Active (Green): The "door" is open, and your website can use this method to talk to other apps. Inactive (Red): The "door" is locked. This might be for safety, but sometimes it can stop certain features from working. Server Resources This part shows you how hard your website's "brain" is working. Memory Limit: This is the total amount of "thinking space" your website has (for example, 256M). Current Usage: This shows how much of that space you are using right now. If the green bar gets too full, your site might slow down. Max Execution Time: This is the amount of time (in seconds) your site is allowed to work on a single task before it gives up. Copy & Print: You can use these buttons to save this information if you ever need to show it to a tech expert for help. 3. Scheduled Tasks This is the "To-Do List" for your security plugin. Event Name: This is the name of the specific job the plugin needs to do, like checking your files for changes or sending alerts. Schedule: This tells you how often the job happens (for example, "every minute" or "hourly"). Next Run: This shows a countdown of when the job will start again. Actions (Run Button): If you don't want to wait for the timer, you can click the Run button to make the plugin do that task immediately. You don't usually need to change anything here. This page is mostly for checking that everything is working exactly as it should! Advanced Settings Data Management This section decides what happens if you ever decide to stop using the plugin and delete it. Delete plugin data on uninstall: * What it does: If you turn this switch ON, the plugin will erase everything it ever recorded (like settings and security logs) when you delete it from WordPress. Why use it: Use this if you want to make sure no leftover "digital trash" is left behind on your website. Warning: Once this data is deleted, you can never get it back! Emergency Access (The "Spare Key") This is one of the most important parts of the plugin. Sometimes, security settings might accidentally lock you out of your own website. Emergency URL: This is a secret web link made just for you. What it does: If you are locked out, you can paste this secret link into your browser. It will automatically turn off the security plugin so you can get back into your site. How to use it: 1. Save it: Copy this link and save it somewhere safe, like a notebook or a private file on your phone. 2. Test URL: Click this to make sure the link works. 3. Regenerate URL: If you think someone else saw your secret link, click this to create a brand-new one. Reset & Cache (The "Fresh Start") If the plugin is acting strangely or you just want to go back to the beginning, use these buttons. Reset to Defaults: * What it does: This pushes the "Reset" button on every setting in the plugin. It will go back to exactly how it looked when you first installed it. Clear Cache: * What it does: This clears out "temporary memory" that the plugin uses. Why use it: If you changed a setting but don't see the change happening on your site, clicking this can usually fix the problem. Always remember to click the Save Changes button at the bottom left after turning on the "Delete plugin data" switch! Database Cleanup Database Stats At the top, you'll see four important numbers: Total Database Size: How big your database is (right now it shows 0 B) Total Records: How many things are stored in your database (right now it shows 0) 30-Day Growth Estimate: How much your database might grow in 30 days Avg. Daily Records: How many new things are added each day Step 2: Turn On Automatic Cleanup You'll see two toggle switches: Enable Automatic Cleanup - This automatically removes old, unnecessary data from your database Enable Archiving Before Deletion - This saves a copy of data before removing it (good for safety) Both are turned ON by default, which is usually best for most websites. Step 3: Clean Up Your Database In the "Database Cleanup" section, you can: Select which tables (parts of your database) to clean Delete old records that you don't need anymore Right now, it shows "No log tables found" which means your database is already clean! Overview Tab This is the main dashboard that shows you: Your total database size How many records (items) are in your database How your database is growing Average daily records being added It gives you a quick look at how healthy your database is right now. Retention Policies Tab This tab helps you control how long data stays in your database. What It Does: Configure Retention Periods: You can set how many days to keep records in each part of your database Save Retention Policies: Click this blue button to save your settings Why This Matters: Keeping your database clean means your website runs faster You can choose how long to keep different types of data This helps prevent your database from getting too big and slow Archives Tab This tab shows you archived records - data that has been saved before being deleted. What You'll See: Archived Records: Any data that was archived (saved) before cleanup Right now it shows "No archives found" which means your database is clean! Why Archives Are Good: They act like a backup before data gets deleted You can review what was removed if needed Makes cleanup safer because you can always restore archived data History Tab This tab keeps track of all the cleanup activities. What It Shows: Cleanup History: A log of everything the plugin has cleaned up Right now it shows "No cleanup history found" which means the plugin hasn't done any cleanups yet, or it's a new installation Why History Is Helpful: You can see what was cleaned and when Helps you track how your database is being maintained Good for troubleshooting if something goes wrong Important Tips: Always save your changes by clicking "Save Changes" at the bottom If you make a mistake, you can "Discard Changes" to go back Start with the default settings if you're not sure what to do These features help keep your website fast and secure! Important Notes Automatic cleanup helps keep your site running fast Archiving before deletion is like making a backup before cleaning - it's safer You can always turn these features off if you prefer to clean your database manually Click "Save Changes" to keep your settings, or "Discard Changes" to go back to how things were Self Defense Protection This feature keeps your security plugin safe from being turned off by bad people. Enable Self Defense: When this is ON (green), it means: No one can easily turn off your security plugin If someone tries to turn it off, they'll need to prove who they are first Your website stays protected File Integrity Monitoring This feature watches your security plugin files to make sure no one changes them. Enable file integrity checks: When this is ON (green), it means: The plugin checks if any files have been changed If someone tries to mess with your plugin code, you'll get an alert Your security stays strong and trustworthy Deactivation Alerts This feature tells you when someone tries to turn off your security plugin. Send alerts on deactivation: When this is ON (green), it means: You'll get a message if someone tries to turn off your security Alerts can come to your email or other places you set up You'll know right away if something suspicious happens Important Warning If you ever need to turn off this security plugin (maybe to fix something), remember: You can use the "Emergency Access URL" from the Advanced Settings page Or you'll need to prove it's really you trying to turn it off --- - Published: 2026-01-26 - Modified: 2026-02-01 - URL: https://docs.wpultimatesecurity.com/docs/how-it-works/site-hardening/ - Docs Categories: How It Works? Content Protection Content Protection Overview page helps you protect your website's content from being copied by visitors. Enable Content Protection This main toggle turns the entire content protection feature on or off. It prevents visitors from copying your text, images, and other content. Select Protection Scope You can choose to protect either your entire website ("Whole Site") or only specific pages ("Specific Pages"). Protect WooCommerce Product This toggle specifically protects your store's product pages. Add categories to protection-specific product categories. Protect Custom URLs You can add custom URL patterns to protect specific sections of your site that aren't covered by the other options. Exclude User Roles You can choose which user roles should be able to bypass the content protection (administrators are always excluded by default). Save or Discard button to apply changes Text Protection This feature helps protect the text content on your website from being copied by visitors. Disable Right-Click This stops visitors from right-clicking on your site. This prevents them from copying your text or saving your images. Disable Text Selection This stops visitors from selecting text on your pages by highlighting it, making it impossible to copy text. Disable Copy (Ctrl+C) This blocks the standard keyboard shortcut (Ctrl+C) on Windows or Command+C on (Mac) that people use to copy selected text. Disable Cut (Ctrl+X) This blocks the standard keyboard shortcut (Ctrl+X) on Windows or Command+X on (Mac) that people use to cut selected text. Save or Discard button to apply changes Image Protection This helps you stop people from stealing the images on your website. It makes it much harder for visitors to save your original work to their devices. Disable Image Right-Click This prevents visitors from right-clicking on your images, which stops them from accessing the "Save Image As" option. Disable Image Dragging Stop visitors from dragging your images to their device. This makes it impossible for them to save your pictures just by pulling them off the page. Image Overlay Protection This adds an "invisible shield" over your photos. If a user tries to find another way to download the image, they will end up with a blank photo. Hotlink Protection "Hotlinking" is when another website displays your images by linking directly to your server. This feature blocks other sites from using your images. Save or Discard button to apply changes Keyboard Shortcut Keyboard Shortcut Protection blocks keyboard shortcuts to access developer tools or save your website content. Disable Developer Tools This blocks keyboard shortcuts like F12, Ctrl+Shift+I, and Ctrl+Shift+J that people use to open browser developer tools. This prevents visitors from inspecting your website's code. Disable View Source This blocks the Ctrl+U shortcut that allows visitors to view the HTML source code of your pages. Disable Save Page This blocks the Ctrl+S shortcut that lets visitors save your entire webpage. Disable Print This blocks the Ctrl+P shortcut and hides the print content option from printing your website content. Save or Discard button to apply changes Display Settings You can customize the message when visitors try to do something that is blocked. Notification Type You can select from the drop-down menu how visitors will be notified when they try to do something blocked. "Alert Popup" shows a browser popup message "Toast" shows a subtle notification at the bottom of the screen "Silent" blocks the action without any message Custom Messages You can set specific messages for: Right-click attempts Copy attempts Keyboard shortcut attempts Mobile Protection You can enable two mobile-specific protections: Disable Mobile Long-Press - Prevents the long-press menu that appears on mobile devices Disable Touch Callout (iOS) - Disables the iOS touch callout menu that appears on images and links This section helps you control both what visitors see when protection is triggered and how your protection works on mobile devices. Security Keys Settings WordPress security keys (also called "salts") are special codes that help protect your website from hackers Current Salt Keys The page shows several important security keys: AUTH_KEY SECURE_AUTH_KEY LOGGED_IN_KEY NONCE_KEY AUTH_SALT SECURE_AUTH_SALT LOGGED_IN_SALT NONCE_SALT Each one has a 100% strength rating. Action Buttons Hide Keys - Hides the key values (for extra security) Reveal Values - Shows the actual key codes Copy All - Copies all keys to your clipboard Download Backup - Saves a copy of all keys to your computer Changing WordPress salt keys will force all logged-in users to login again Scheduled Change What it does: This feature automatically changes your WordPress security keys on a regular schedule. How to use it: The toggle switch turns automatic key changes ON or OFF The dropdown menu lets you choose how often: "Daily" is currently selected When turned on, your keys will be updated automatically without you needing to do anything Why this is helpful: Regularly changing keys makes your site more secure by invalidating any potential threats. Set Manual Time What it does: Lets you choose a specific time for automatic key changes. How to use it: Use the day dropdown (currently set to "Saturday") Set the time using the hour and minute selectors (currently 08:00 or 8:00 AM) This means your keys will update automatically at 8:00 AM on Saturdays Reminder for Changing Salt Keys What it does: This toggle turns on/off reminders about manually updating your keys. Why you might want this: Even with automatic updates, it's good to stay aware of your site's security practices. Notification After Change What it does: When turned on, you'll get a notification after your keys have been automatically updated. Why this is useful: You'll know when your site's security has been refreshed. Pre-Change Notification What it does: This gives you a heads-up before scheduled key changes happen. How it works: The toggle turns this feature ON or OFF The dropdown lets you choose when to be notified (currently "24 hours before") This gives you time to prepare or skip the change if needed Reminder Interval What it does: Sets how often you receive reminders about key changes. Current setting: "7 days" - meaning you'll get reminders every week Pause Until... Button What it does: Temporarily stops automatic key changes When to use: During website maintenance or when you're moving your site to a new server How it works: Click this button to pause automatic updates until you're ready to resume Skip Next Button What it does: Skips the next scheduled key change When to use: If you know you'll be doing maintenance soon, or if you don't want the next update to happen Temporary control: Gives you quick control over the next update Salt Change History What it shows: A detailed log of all your security key changes Why it's useful: Lets you see when keys were changed and track your security updates How to access: Click the "View History" button to see all past changes Immediate Change What it does: Changes your security keys right away, without waiting for the schedule When to use: If you're concerned about security and want immediate protection How to use: Click the "Regenerate Salt Keys" button Important note: After clicking, all logged-in users will need to log in again Action Buttons Save Changes: Saves any settings you've adjusted Discard Changes: Ignores any changes you've made (goes back to previous settings) Unsaved changes: This warning appears if you've made changes but haven't saved them yet API & Data Privacy API Privacy? API (Application Programming Interface) privacy helps protect your website by hiding information that WordPress normally shows to the public. Think of it like putting curtains on your windows - it keeps prying eyes from seeing what's inside. Enable API Privacy This toggle turns API privacy ON or OFF. When ON: Your website hides sensitive information from outsiders When OFF: Your website shows more information (less secure) Recommendation: Keep this ENABLED for better security. User-Agent & URL Behavior This setting controls how your website handles web addresses (URLs) in API requests. Current setting: "No changes" - meaning your website shows normal URL behavior Why it matters: How URLs are handled can affect your site's privacy Privacy Options (Advanced Settings) These are extra privacy protections you can enable: Strip WordPress version information from User-Agent What it does: Hides which version of WordPress you're using Why helpful: Hackers can't target known vulnerabilities in your specific WordPress version Strip external plugins from API calls What it does: Hides information about plugins you've installed Why helpful: Prevents hackers from knowing which plugins might have security issues Strip external themes from API calls What it does: Hides information about your website's theme Why helpful: Stops hackers from targeting theme-specific vulnerabilities Modify data sent to core update API What it does: Changes how update information is sent Why helpful: Adds an extra layer of security during updates Strip wp_blog and wp_install headers What it does: Removes identifying headers from your site Why helpful: Makes it harder for attackers to gather information about your site Strip user login info from JSON API What it does: Hides user login details in API responses Why helpful: Protects your users' login information Debug Settings Disable HTTPS for packet sniffing What it does: Temporarily turns off secure connections (only for testing) Important: Should only be used by advanced users during testing Warning: Not for regular use - keeps your site less secure Save Your Changes Save Changes: Applies all your privacy settings Discard Changes: Ignores any changes you've made Plugin Updates Update Management This page helps you control how your website updates itself. Updates are important because they: Fix security issues Add new features Keep your site running smoothly Plugin Updates Section This specific section shows updates for the plugins (extra features) installed on your website. Filter Tabs You can filter plugins by their status: All: Shows every plugin Active: Shows only plugins that are currently working Inactive: Shows plugins that are turned off Update Available: Shows plugins that need updates Abandoned: Shows plugins that aren't maintained anymore Search and Refresh Search plugins: Find specific plugins quickly Refresh: Get the latest update information Plugin List Your page shows two security plugins: Ultimate Security (version 1. 0. 17) Ultimate Security Pro (version 1. 0. 4) Plugin Control Options For each plugin, you can control: Disable Updates: Turn OFF to stop this plugin from updating automatically Turn ON to allow automatic updates Auto-Updates: Green means updates happen automatically Gray means you need to update manually Translation Updates: Green means translation files update automatically Gray means you need to update translations manually Hide Plugin: Hide the plugin from your dashboard (advanced option) Theme Updates What is Theme Management? Themes are the visual designs and layouts of your website - they control how your site looks and feels to visitors. Just like plugins, themes need regular updates to stay secure and work properly. Theme Updates Section This page helps you manage updates for your website's themes (the visual designs). Filter Tabs You can filter themes by their status: All: Shows every theme Active: Shows only themes currently being used Inactive: Shows themes that aren't active Update Available: Shows themes that need updates Search and Refresh Search themes: Find specific themes quickly Refresh: Get the latest update information Theme List Your page shows three WordPress themes: Twenty Twenty-Five (version 1. 4) Twenty Twenty-Four (version 1. 4) Twenty Twenty-Three (version 1. 6) Theme Control Options For each theme, you can control: Disable Updates: Turn OFF to stop this theme from updating automatically Turn ON to allow automatic updates Auto-Updates: Green means updates happen automatically Gray means you need to update manually Translation Updates: Green means translation files update automatically Gray means you need to update translations manually Hide Theme: Hide the theme from your dashboard (advanced option) Update Manager What Are These Settings For? This page helps you control how your website updates itself. Updates are like getting new, improved versions of things on your website - they fix problems, add new features, and keep everything secure. General Update Settings WordPress Core Updates This controls how your main WordPress software gets updated. Current setting: "Manual updates" - meaning you need to click a button to update WordPress Other options you might see: Automatic updates: WordPress updates itself without you doing anything Daily updates: Checks for updates every day Weekly updates: Checks for updates once a week Plugin Updates This controls how your plugins (extra features) get updated. Current setting: "Manual updates" - you need to update plugins yourself Why this matters: Plugins can have security issues that need fixing, just like apps on your phone. Theme Updates This controls how your website's design (themes) gets updated. Current setting: "Manual updates" - you need to update themes yourself Why this matters: Theme updates often fix design problems and security issues. Toggle Switch Options Disable Automatic Translation Updates What it does: Stops translations from updating automatically When to use: If you don't need translated content or want to control translations yourself Enable updates for VCS Installations What it does: Allows updates for version-controlled installations When to use: If you're using advanced version control (most users don't need this) Updates nags only for Admin What it does: Only shows update notifications to website administrators Why helpful: Keeps regular users from seeing technical messages Enable Update Schedule Window What it does: Lets you choose specific hours for updates Why helpful: You can avoid updating during your website's busiest times (when most visitors are online) Example: If your site gets lots of traffic in the afternoon, you can schedule updates for early morning Auto-Update Delay Current setting: "No delay" - updates happen right away Other options: You can add a delay (like 1 hour, 6 hours, or 24 hours) Why helpful: Gives time for any problems with new updates to be discovered before your site gets updated Enable Maintenance Mode During Updates What it does: Puts your site in "maintenance mode" during updates Why helpful: Visitors see a friendly message instead of error pages while updates are happening Day-of-Week Scheduling What it does: Lets you choose which days updates can happen Why helpful: You can avoid updating on your website's busiest days Example: If weekends are your busiest, you can schedule updates for weekdays only Freeze Periods What it does: Creates "freeze" periods when updates are completely blocked How to use: Click "Add" to create a new freeze period Choose start and end dates Updates won't happen during these times Why helpful: Perfect for important events, sales, or when you can't have any disruptions Email Notifications What it does: Sends you email updates about your website's updates Why helpful: You'll know exactly when updates happen and if there are any issues How often: Once a day, with a summary of what happened WordPress Core Email Notification Core Notifications This toggle controls whether you get email updates about your WordPress core (the main software). Important Note: These core notifications are handled by WordPress itself, not by this security plugin. Changing settings here only affects this plugin's notifications. What Core Notifications Include Core notifications typically tell you about: WordPress version updates Security patches Important maintenance information Advanced Options This section has powerful tools for managing your website updates. Proceed with caution - these options can affect how your site works. Force Automatic Updates This is a powerful feature that lets you manually trigger updates for everything on your website at once. What it does: Updates your plugins (extra features) Updates your themes (website designs) Updates WordPress core (main software) Save Changes: Applies any changes you've made Discard Changes: Ignores any changes (goes back to previous settings) Update History What is this page for? This dashboard shows you a record of all updates that have been made to your WordPress website. It helps you keep track of what's been updated, when, and whether those updates were successful. Understanding the Dashboard Top Statistics (Last 30 Days) At the top of the page, you'll see five important numbers: Total Updates: Shows how many updates were attempted in the last 30 days Successful: Shows how many updates completed without problems Failed: Shows how many updates didn't work properly Auto Updates: Shows how many updates happened automatically Manual Updates: Shows how many updates you or someone else did manually Filter Options You can use the dropdown menus to filter what you see: All Types: Filter by plugins, themes, or WordPress core All Statuses: Show only successful, failed, or all updates All Update Types: Show auto or manual updates Action Buttons Refresh: Click this to get the latest update information Export CSV: Download this data as a spreadsheet file Clear Old: Remove old update records (use carefully! ) Security Hardening What is Security Hardening? This section helps make your WordPress website more secure by adjusting important security settings. Think of it like adding extra locks and security features to protect your website from potential threats. Understanding the Dashboard Color-Coded Recommendations Green tags: These are recommended settings that should be enabled for most websites Orange tags: These settings might affect how your website works - review them carefully before enabling Progress Tracking The number at the top (currently "0 / 35 features enabled") shows how many security features you've turned on out of the total available. Navigation Tabs You can switch between different security categories using the tabs: Access & Identity: User login and account security Files & Directories: Protecting your website files Headers & Fingerprinting: Hiding technical information APIs & Remote Access: Controlling external connections Frontend & Features: Website appearance and functionality Access & Identity Security Options This section helps protect user accounts and login processes: Recommended Settings (Green Tags) Disable "Anyone can register": Prevents random people from creating accounts on your site Prevent login feedback: Stops giving hints about whether a username or email exists Disable user enumeration: Makes it harder for attackers to discover user accounts Block common usernames: Prevents using easy-to-guess usernames like "admin" or "root" Force unique display names: Ensures all users have different names Hide Admin Bar from Frontend: Removes the admin toolbar from the public part of your site Hide Admin Bar from Backend: Removes the admin toolbar from the dashboard File & Directory Security Options This section helps protect your website's files and folders: Recommended Settings (Green Tags) Disable the built-in file editors: Turns off WordPress's built-in code editor, which prevents people from editing your files directly through the dashboard Prevent code execution in Uploads folder: Stops malicious code from running in your uploads folder Disable directory browsing: Prevents visitors from seeing a list of files in your folders Block Sensitive Files: Protects important configuration files from being accessed Header Security Options This section helps hide technical information about your website: Recommended Settings (Green Tags) Hide your WordPress version: Prevents showing which version of WordPress you're using Unset X Powered by header: Removes information about what software powers your site Hide CSS File Version: Hides version numbers in your CSS files Hide JS File Version: Hides version numbers in your JavaScript files Caution Setting (Orange Tag) Strict Content Security Policy on the frontend and login screen: This is an advanced security setting that might affect how your site works API & Remote Access Options This section helps protect your website from unauthorized external connections: Disable XML-RPC: Controls a feature that allows external systems to connect to your site Disable REST API for guests: Restricts access to the API for people who aren't logged in Disable Trackbacks & Pingbacks: Turns off notifications between websites Remove RSD Link: Hides a technical link used by some blogging tools Remove WLW Manifest Link: Hides a link used by Windows Live Writer Remove Shortlink: Hides a special short URL for your posts Frontend & Features Options This section helps optimize and secure how your website appears to visitors: Frontend & Features: Turns off special icons used in WordPress Disable WordPress Emojis: Stops emoji support on your site Remove RSS Feed Links: Hides links to your RSS feeds Add Featured Image to RSS Feed: Includes your post images in RSS feeds Disable Embeds in Widgets: Prevents embedding content in widgets Enable Shortcodes in Widgets: Allows using shortcodes in widgets Disable RSS Feed: Turns off your website's RSS feed completely --- - Published: 2026-01-25 - Modified: 2026-01-29 - URL: https://docs.wpultimatesecurity.com/docs/how-it-works/login-authentication/ - Docs Categories: How It Works? - Docs Tags: Beginner Two-Factor Authentication It is an extra layer of multi-factor authentication with email OTP, authenticator apps, SMS authentication, and backup recovery codes. Overview Navigate to Ultimate Security > Login Authentication > 2FA > At the top of the page, you will find three key metrics: Security Status  Indicates the 2FA system is active and working correctly Active Methods  See your 2FA options here. Click 'Compare method' to see a table at the bottom that explains the differences between each method. User Adoption Tracks how many users on your site have actually set up 2FA for their account. Quick Actions This section provides shortcuts to manage your two-factor authentication settings: Test 2FA: Verify your current setup by clicking here. You will be taken to a dashboard where you can choose to test either email or an authenticator app. Setup Wizard: Follow a guided flow to configure 2FA. You can select email OTP or an authenticator app. The wizard walks you through Level -> Method -> Roles -> Review steps before leading you to the final configuration page. View User Status: See which users on your site currently have 2FA enabled. Audit Logs: Review a history of authentication events and activities Authentication Methods Comparison This section helps you compare the two available security methods to decide which one to use. Email Verification: This method is easy to set up and does not require any extra applications. Authenticator App (Recommended): This option is very secure and easy to use. It requires a smartphone. You can view the security rating, pros, and cons for each method. To start setting up a method, click the Configure button. Email OTP This page lets you set up email verification. When turned on, users will get a one-time code in their email every time they log in. Enable Email Verification There is a toggle switch. Enable for Roles This setting allows you to choose which user groups are required to use email 2FA. You may choose to disable this for regular subscribers to avoid friction during simple logins, unless your site deals with sensitive user data. NB: "Save Changes" or "Discard Changes" button will apply the settings Next Steps for Users Once you have enabled this feature on this page, your users must: Go to their WordPress Dashboard > Users > Profile page  Scroll down and find the Ultimate Security Select the email method. Get OTP from the email address for verification Save Settings to apply Security Considerations Please keep the following in mind: Email delivery is not always instant. Network issues or server load can cause delays, making the verification code expire before the user finds it. If a hacker has already compromised a user's email password, they can access the 2FA code, rendering this layer of security ineffective. Occasionally, verification codes can be flagged as spam and end up in the user's junk folder. Authentication Apps Use this page to set up your Authenticator app. These apps provide the strongest security because they work without internet or phone signal. For extra protection, your login code changes every 30 seconds Authenticator Applications Toggle This switch enables or disables two-factor authentication. Enable for Roles This setting allows you to select which user roles are allowed to use the Authenticator App. Advanced Settings This section allows you to select the algorithm used to generate your OTP. You can choose between two options: TOTP (Time-Based): This is the most common algorithm and is used by virtually all authenticators. It generates a new verification code every 30 seconds based on the current time. HOTP (Event-Based): This option generates codes based on a counter. The code only changes when an event occurs (like a login attempt), rather than based on the time. XML-RPC  XML-RPC is a feature in WordPress that allows external services to communicate with your site remotely. You will see a dropdown menu with two specific options. This setting decides if 2FA is required when these external services try to connect. Option 1: Do not require 2FA over XMLRPC (default). External tools and mobile apps can connect to your site using just a username and password. They will not be asked for a 2FA code. Option 2: Do require 2FA over XMLRPC Any connection attempt via XML-RPC (including mobile apps) must provide a valid two-factor authentication code in addition to the password. Note: Only enable this requirement if you are sure your external apps support Two-Factor Authentication, or if you do not use external apps to manage your site Encrypt Keys in Database This feature locks your security codes inside the database to keep them hidden. It adds an extra layer of protection so that even if a hacker gets into your database, they cannot see or steal your login secrets. Note: Once you enable this feature, it cannot be disabled. However, it is completely safe to keep it enabled. Important Notice:  For the highest level of security, we strongly recommend using the Authentication App method (if available) instead of Email OTP. Authentication apps generate codes offline on your device, are immune to email delays, and are virtually impossible to intercept remotely. Use email OTP primarily as a backup method or for users who are unable to use an authentication app. Next Steps for Users Once you have enabled this feature on this page, your users must: Go to their WordPress Dashboard > Users > Profile page  Scroll down and find the Ultimate Security Select the Authentication App method. Click Setup Scan the provided QR code with their preferred mobile app to finish the connection. Reset 2FA Method settings to restore all settings Login Hardening This page helps you protect your website by hiding your login page. By changing the address of your login page, you can stop automated robots and hackers from finding it. Custom Login URL Security It states that modifying the default login URL helps defend against brute force attacks and scanner attacks. Login Page URL Below, you will see the login page URL field. This displays the default address for your login page. In the type box, you can change the default login URL and create a new private entrance. Old Login Page Redirect This option lets you redirect anyone who tries to access the default WordPress login page URL The default setting is 404. If a bot or hacker tries the old default link, they will receive a "Page Not Found" error. You can also add a custom URL in the box to redirect them to another link Show a Consent Message This option lets you show a custom message in the login form This feature has a toggle switch. Next to it, there is a text box containing a default message. This is the text that users will see when they reach your login page. You can type a custom message or welcome message here. Save Your Changes At the bottom of the section; You must click the button to apply any changes you made to the URL or settings. Important Reminder: Before changing your login URL: Bookmark your new login URL or write it down Save the Plugin Deactivation URL from Settings > More > Extra Test the new URL in an incognito window before logging out If locked out, you can deactivate the plugin via FTP or use the deactivation URL Password Requirements This setting allows you to set rules for passwords on your website. By enforcing these rules, you make sure that all users create strong, hard-to-guess passwords. Enable Password Policies You will see the main option labeled "Enable password policies. " This is the switch for this entire page. If you turn this off, none of the password rules below will apply to your users. Quick Presets Below the main switch, you will see a row of tabs labeled "Quick presets. " These are shortcuts to quickly set how strict you want the password rules to be. The available tabs are Basic: Sets simple, easy-to-follow rules. Strong: Sets stricter rules for better security. Enterprise: Sets the highest level of security for professional environments. NB: Clicking one of these tabs automatically fills in the settings below (like length and character types) to match that level of security. Minimum Length Under the presets, you will find the setting for "Minimum length. " This controls how many characters a password must have. You can adjust the number (e. g. , 8, 12, 16) to make passwords shorter or longer. Require Uppercase & Lowercase Next, there is a checkbox labeled "Require uppercase & lowercase. " It means users cannot use all lowercase letters. They must be mixed in capital letters Require Numbers Below that, there is a checkbox labeled "Require numbers. " It means users must include at least one number in their password. Require Special Characters Finally, there is a checkbox labeled "Require special characters. " What this means: Users must include at least one special symbol (like ! , @, #, $, or %) in their password. Exclude Characters Located right below the "Require special characters" option, you will see an input box. While you force users to use special characters, you might want to ban specific ones that cause technical problems or are hard to type. If you type characters into this box (like " '), users will not be allowed to use those specific symbols in their passwords. Password History Next, you will see the setting for "Password history. " This is set to 1 by default This stops users from reusing their old passwords. A setting of "1" means a user cannot reuse their most recent password. They must pick a new one. If you set it to "5," they couldn't reuse their last 5 passwords. Expiration Period Below that, there is an option labeled "Expiration period. " This makes users pick a new password after a certain amount of time. Setting it to "0" (zero) means passwords never expire. Users can keep their password forever. If you want them to change it every 3 months or even in a year, you would enter "3" here and select the month/year near the box. Warning Days Next to the expiration setting, you will see "Warning days. " If you have an expiration period set, this setting warns the user before their password runs out. Setting any number means the user will receive a notice before their password expires, reminding them to update it. Grace Period Below the warning days, there is the "Grace period" setting. This gives users a few extra chances to log in after their password has technically expired. Setting any number means the user can still log in for the certain number of days after the expiration date. During this time, the site will usually force them to pick a new password immediately. After the days are over, they are locked out completely. Email Notification You will see a toggle switch labeled "Email notification. " The system will automatically send emails to users regarding their password. This ensures users get notified about upcoming expirations or required changes without you having to tell them manually. First Login Reset At the bottom of this section, there is a toggle labeled "First login reset. " This is useful for new accounts. When you create a new user and they log in for the very first time, the system will force them to change their password immediately. This ensures that only the actual user knows their password, not the admin who created the account Disable Self-Service Reset You will see a toggle switch labeled "Disable self-service reset. " Normally, users can click a "Lost your password? " link to reset their own password via email. By turning this on, you are disabling that feature. This is useful for high-security sites where you want to personally verify who is asking for a password reset. It prevents hackers from trying to take over accounts by using the reset tool. Custom Reset Message Below the toggle, there is a text box labeled "Custom reset message. The box currently contains the text "Contact site administrator to reset your password. " What this means: Since the standard reset link is now hidden, this is the message users will see instead. You can type any instructions you want here. For example, you could provide an email address telling users exactly how to reach you to get their password fixed. Custom Reset URL Next, there is an input field labeled "Custom reset URL. " What this means: If you have created a specific custom page or form on your website for users to request help, you can paste that link here. If you do not have a custom page, you can leave this as is. If you enter a URL, the system might redirect users to that specific page when they try to reset their password. Save or Discard Changes At the very bottom of the page, you will see buttons to control your settings. Session Management This page helps secure accounts by limiting current logins, terminating idle sessions, and tracking all login attempts About Active Logins When you look at the About Active Logins box, you will see a simple explanation of why this feature is good for your site. Enable Active Logins Logic There is a toggle switch to enable this feature Maximum Active Sessions This setting allows you to control how many devices can stay logged in at a time. Set your preferred session numbers in the box to limit login devices. Recommendations At the bottom of the page, you will see a Recommendations section. This gives you helpful advice on how many sessions to allow for different types of users. Note: If you aren't sure what number to pick, following the recommendations is the safest choice Use the buttons at the bottom of the page to save and discard changes. --- - Published: 2026-01-25 - Modified: 2026-02-01 - URL: https://docs.wpultimatesecurity.com/docs/how-it-works/threat-protection/ - Docs Categories: How It Works? - Docs Tags: Beginner Bot Protection reCAPTCHA Settings This section helps you block bots from spamming your website's form. It uses a tool from Google to check if a real person is trying to submit the form. Enable reCAPTCHA on Signup There is a switch labeled "Enable reCAPTCHA" to control this feature. reCAPTCHA Version You can choose between two versions of this method: v2: Usually shows the familiar "I'm not a robot" checkbox. v3: Works silently in the background without bothering your users unless it detects suspicious behavior. Enter Your Keys (Site Key & Secret Key) To make these features work, you need two special codes from Google. Site Key: This is a public code that goes into your website's form. Secret Key: This is a private code that stays on your server (in the plugin settings) to verify the check. How to fill this out: You will need to get these keys for free from the Google reCAPTCHA website. Once you have them, copy and paste the "Site Key" into the first box. Copy and paste the "Secret Key" into the second box. reCAPTCHA verification failed Use this box to change the message people see when they fail the security check. This message appears if someone gets the puzzle wrong or if the system thinks they are a robot. A default message is pre-filled in the text box, but you can overwrite it with your own custom text. Can not connect to server Use this box to write a message for when the security check doesn't work. This error might show up if your internet is down or if a security setting is stopping the connection. There is already a default message here, but you can change it. reCAPTCHA Field Title This setting allows you to change the text label that appears above the checkbox on your form. The default text is already set. You can change it too. reCAPTCHA Theme You can select Light or Dark theme based on your preferences reCAPTCHA Size You can select Normal or Compact size based on your preference No-Conflict Mode Enable No-Conflict Mode to prevent conflict from other themes or plugins and ensure your system runs smoothly. WooCommerce Registration If you are running an online store, enable this feature to secure your customer signup process. Enable reCAPTCHA on Signup: Toggle this to ON. This adds a security verification to the registration page during checkout, preventing automated bots from creating fraudulent customer accounts. Note: Once you are happy with your settings, scroll to the bottom and click the blue button that says Save Changes. If you made a mistake and want to go back to how things were before you started editing, click Discard Changes Cloudflare Turnstile This guide will help you set up and use the Cloudflare Turnstile plugin. This keeps your website safe without making it hard for your visitors Default WordPress Forms These settings determine where you want to use Cloudflare Enable toggle activates the following settings: WordPress Login WordPress Register WordPress Reset Password WordPress Comment. Your Keys Put those keys into the field. "Site Key" field. Paste your Site Key here. "Secret Key" field. Paste your Secret Key here. General Settings These settings control how the Turnstile check looks and works on your site. Theme: You can choose between "Light" and "Dark" themes. Pick the one that matches your website's look. Language: You can let the plugin automatically detect the language, or you can choose a specific language for the Turnstile check. Disable Submit Button: This option can stop people from submitting a form until they pass the security check. It's usually a good idea to leave this "Enable. " Advanced Settings These are for more experienced users, but you can still use them Widget Size: Choose the size of the security check. Appearance Mode: Choose when the security check appears. "Always" means it will always be there. Defer Scripts: This can make your website load faster. It's usually best to leave this "Enable. " Custom Error Message: If someone fails the security check, you can show them a special message. The default is "Please verify that you are human. " Extra Failure Message: Add another message if the check fails. It's usually best to leave this "Disable. " Whitelist Settings This lets certain people skip the security check. Logged In Users: If you "Enable" this, people who are logged into your website won't see the security check. IP Addresses: You can add IP addresses here. If you add an IP address, anyone using that address won't see the security check. User Agents: You can add "User Agents" here. This is like a browser's name. If you add a User Agent, anyone using that browser won't see the check. Turnstile Logs: If you "Enable" this, the plugin will keep a record of when the security check is used. Don't forget to click the "Save Changes" button at the bottom of the page. Brute Force Protection Login Attempts This Setting helps you stop automated robots from guessing your password. Login Limit This is the main switch that activates the protection. Login Attempts  This tells the plugin how many times someone is allowed to type the wrong password. If someone guesses wrong 4(the default) times, we immediately block them. Lockout Duration:  This is how long the person is "put in timeout" after guessing wrong too many times. They will have to wait certain time before they can try again. Increase Login attempts: If the same person gets locked out in hours, the plugin decides they are a serious threat and gets tougher. Increase Lockout Duration:  Once they are marked as a serious threat, we Increase Lockout time in hours after first lockout. Retries Reset Duration:  Sometimes a real user just forgets their password. This setting tells the plugin: If they haven't tried to log in for a particular hour, forget about their past mistakes and let them start fresh. Block Users Stop a specific person from logging into your website. In the input box, type the exact username of the person you want to block. Select All: Click this if you want to highlight every user currently on your blocked list at the same time. Remove All: Click this to clear the entire list and unblock everyone. Recovery URL Use this link if you ever get locked out of your account. So please keep it private and store it somewhere safe offline Please follow these steps carefully: Generate Key: Click the Generate Key button. The plugin will create a secret link just for you. Copy: Click the Copy button to save that link to your computer's clipboard. Save It Somewhere Safe: This is the most important step. Paste that link into a document on your computer, write it in a notebook, or save it in a password manager. Important Warning: Do not lose this link. If you get locked out, this is the only way you can get back in to manage your site. Keep it private and do not share it with anyone. NOTE: Once you have these settings how you like them, click Save Changes Lockout Notifications The switch controls the configuration setting Notification Email Enter the email address where you want to receive these alerts. After you type your email, click "send text" button. It will send a test email to make sure everything is working correctly. Check the Spam folder if it's not found in the inbox Notify On User Lockout Sends an email when someone is blocked for trying the wrong password too many times. Extended Lockout Sends an email when a persistent hacker is blocked for a long time (usually because they kept trying to break in). Recovery URL Used Sends an email if someone uses the secret "Emergency Unlock Key. " Email Rate Limit If your site is under attack, you might get hundreds of alerts in a few minutes. This setting stops that. It limits the emails to 10 (default) per hour. This way, you stay informed, but your inbox doesn't get completely clogged up. Once you have your email address set and your choices made, click Save Changes at the bottom of the page. Locked Users This table shows users locked out for too many login failures. You can unlock them manually here At the top of the list, you will see tabs labeled "All," "Phase 1," and "Phase 2. " These simply separate users based on how long they are locked out for. All: Shows everyone combined. Phase 1: These are people who made a few mistakes. They are locked out for a short time (like 10 minutes). Phase 2: These are people who kept trying to break in. They are "Serious Offenders" and are locked out for a much longer time. Manually Unlocking a User Sometimes, a real person might forget their password and get locked out by mistake. If this happens, you can let them back in early. Step 1: Find the username in the list and check the box next to their name. Step 2: Look for the box that says "Select Option. " Click it to open the menu. Step 3: Choose "Unlock selected users" from the list that appears. Step 4: Click the blue "Apply" button. The user will be able to log in again immediately after you do this. Other Tools Search Box: If you have a long list, type a username here to find them quickly. Refresh: Click this if you want to update the list to see the very latest status. URL - Request Guard Enable URL Guard At the top, you will see a switch labeled Enable URL Guard. What it does: When this is turned ON (showing blue/green), your site is actively protected against common attacks that try to sneak in through URLs. Request Methods This section lets you choose "how" information is sent to your website. The Default: Most websites only need the standard methods (like GET and POST) to work perfectly. The plugin handles this automatically. The Dropdown Menu: You will see a list that includes options like PUT, PATCH, DELETE, etc. Important Warning: If you select methods other than the standard ones (like PUT or PATCH), you might accidentally lock yourself out of your own website dashboard. If this happens: You would need to delete a specific log file in your database to get back in. It is much safer to leave this setting on its default options! IP Whitelist Bypass Think of this as your "VIP List. " What it does: If you add an IP address here, the URL Guard will never block that person, no matter what. Why use it: This is useful if you have a specific office computer or a developer who needs access to the site and you want to make sure they never get stopped by the security guard by mistake. Log Retention This setting decides how long the plugin remembers (keeps a record of) the attacks it stops. The plugin will save a history of blocked requests for a month. Save and Clear Always click this button if you make any changes to the settings above. Request History This page keeps a list of the requests (visits) that your plugin has checked. Dashboard Stats (At the Top) Right in the middle of the screen, you will see two big numbers. These give you a quick "health check" of your site's traffic. Today's Requests Requests in Last 7 Days Test URL The Request Logs Table  Below the numbers, you will see a detailed table. This is the main record of specific events. Here is what each column means: Path Query Params Date Status Navigating the List If you have a lot of logs, you won't be able to see them all on one screen. Look at the bottom of the table. You will see buttons like or page numbers (e. g. , Page 1 of 5). Click these to flip through the pages of history, just like turning pages in a notebook. Managing Your Logs If your list gets too long, or if you just want to clean things up, you can manage the data here. Delete: You can select specific items (or all items) and delete them. This is useful if you want to clear out old records to make the list easier to read. Refresh: If you are waiting to see new activity, click the refresh button to update the list. Note: It is a good idea to check this page every now and then. If you see the same strange "Path" showing up many times in a row, it might mean someone is trying very hard to find a way in Query String Filtering This page is where you can set up specific "Banned Words" or codes for your website's links. It sounds technical, but the idea is simple: if you know a specific code that hackers use, you can tell the plugin to block it instantly. Here is a guide to using this page. Query String Before you use this page, it helps to know what we mean by "Query String. " Think of a URL (a web address) like a letter sent to your website. Sometimes, that letter has a P. S. at the end, like ? id=123 or ? search=shoes. That part after the question mark is the Query String. Hackers often try to hide dangerous codes inside this "P. S. " section. This page helps you catch them. Adding a New Rule  In the middle of the page, you will see a large empty text box. How to use it: If you have a specific code or text string that you want to ban (for example, a suspicious word you found in your logs), type it into this box. Submit: Once you have typed the code, click the Submit button. What happens next: The plugin will remember this code. If anyone tries to use it in a link on your site, the plugin will block them immediately to keep you safe from things like SQL Injection (a type of attack). The Query Strings List  Below the input box, there is a section that lists all the rules you have created. Current Status: Right now, it says "No Query Strings found. " What this means: You haven't added any banned words yet, so the list is empty. This is perfectly normal! Future Use: As you add rules using the box above, they will appear here in a list. You can come back to this list later if you want to delete old rules you don't need anymore. This page gives you extra control. While the plugin does a lot of work automatically, this feature lets you say, "Block THIS specific thing, no matter what. " It is a powerful tool to stop specific attacks that target your website. User Agent Filtering This page helps you stop bad robots and annoying crawlers from visiting your website. To understand how this works, imagine that every visitor to your site is wearing a Name Tag. What is a "User Agent"? In the computer world, a "User Agent" is just that: a digital name tag. When a real person visits your site using Google Chrome, their name tag says something like "Chrome Browser. " When a search engine (like Google) visits your site to read your pages, their name tag says "Google Bot. " However, some bad robots wear "fake name tags" or use specific names to try and sneak in. This page lets you ban specific name tags. Blocking a Bad Bot In the middle of the page, you will see an empty box and a Submit button. This is where you tell the plugin which name tags to ban. How to use it: If you know a specific name or keyword that a bad bot uses (for example, a tool that scrapes content or spams your site), type it into this box. Why use keywords: You don't always need the exact name. You can type just a part of the name. If a bot's name tag contains that word, it will be blocked. Submit: After typing the word, click the Submit button to add it to your block list. The User Agents List Below the input box, you will see a section labeled User Agents. Current Status: It currently says "No user agents found. " What this means: You haven't added any bots to your block list yet. This is completely normal! Future Use: Once you start adding rules using the box above, they will appear in this list. You can look here anytime to see exactly which name tags you have banned. Time Filters (Today, Past 7 Days) Above the list, you will see options to filter by time, such as Today or Past 7 Days. What they do: These buttons act like a pair of glasses that help you focus on a specific time period. How to use them: If you have been using the plugin for a long time and have a big list, you can click "Today" to only see things that happened in the last 24 hours. It helps you keep track of recent activity. Bulk Actions If you end up with a long list of blocked bots and want to clean it up, you can use the Bulk Action menu. How to use it: Select the items you want to change from the list. Choose an action: Pick what you want to do with them (like Delete). Apply: Click the Apply button to make it happen. Think of this page as the Bouncer at a club. If someone shows up with a name tag you don't like, the Bouncer stops them at the door Email & Address Blacklist Email Blacklist This page helps you control who is allowed to sign up or interact with your website based on their email address. Email Enable Blacklist By enabling this switch, you can add email addresses you want to block. Blocking these email addresses Type the email address you want to ban. After typing the email, click the Submit button. Blocked List Below the input box, you will see a list area. Blocked emails will appear in this list. You can check this list to see which email addresses are currently banned. You can delete the email address from the block list. Use the search box at the top right to find email addresses fast. You can also tap the refresh button to update your block list right away Once deleted, that person will be able to sign up again. Address Blacklist Block certain addresses at forms and checkout to keep your store safe. Enable Address Blacklist At the very top of the page, you will see a switch labeled "Enable Address Blacklist. " This activates the protection. Similarity Percentage Below the main switch, you will see a setting called Similarity Percentage, set to 60%. This setting tells the plugin: "If a new address looks more than 60% like a blacklisted address, block it. " Adding a Suspicious Address In the middle of the page, you will see a form to add address. Enter the details of the address you want to block. Address 1 & 2: The street address (Required). City: The city name (Required). State: The state or region (Required). Postcode: The zip or postal code (Required). Country: The country (Required). NB: Once you have filled in the boxes, click the Add to Blacklist button. That address is now banned. Viewing Blocked Addresses The bottom part of the page shows the history of what has happened. Time Filters: You can click Today, Last 7 days, or This Month to see only the activity from that specific time. The Table: The table shows the details (Address, City, State, Postcode) of any addresses that have been flagged. At the very bottom of the page, you will see action buttons to apply settings. Save Changes or Discard Changes --- - Published: 2026-01-25 - Modified: 2026-01-29 - URL: https://docs.wpultimatesecurity.com/docs/getting-started/installation/ - Docs Categories: Getting Started - Docs Tags: Beginner You can install the plugin in two ways. The easiest way is through the WordPress Dashboard. Method 1: Install via WordPress Dashboard (Recommended) Log in to your WordPress Dashboard. Navigate to Plugins > Add New. In the search bar (top right), type "wpultimatesecurity" Find the plugin "WP Ultimate Security--Firewall, Login Security, 2FA Protection & More" by wpultimatesecurity. Click the Install Now button. Once the installation is complete, press Activate. Method 2: Manual Zip file Download Download the plugin zip file from the WordPress repository. Log in to your WordPress dashboard > Plugins > Add Plugins > Upload.   Select the downloaded zip file from your computer, then upload it, and WordPress will automatically install it. Once the installation is complete, click to activate the plugin --- - Published: 2026-01-25 - Modified: 2026-02-18 - URL: https://docs.wpultimatesecurity.com/docs/dashboard/dashboard/ - Docs Categories: Dashboard - Docs Tags: Beginner Once the plugin is activated, you will see a new menu item in your WP dashboard called Ultimate Security. Click on it to enter the plugin's dashboard. This is the first screen; you will see a greeting pop-up. After heading to the next steps, the "Just an emergency" pop-up will appear. It will provide you with an emergency URL that deactivates the plugin if you encounter any issues. Here is the first dashboard you will be exploring: It provides a real-time data of your website's security.   Top right, you will find a refresh button to update all the cards. Your Security Score At the top left corner, you will see Your Security Score. This score presents how many security features are currently active on your site. Next to the score, you will see a security meter. Hit 'Click to view detailed breakdown' for more security info. This pop-up shows you exactly how safe your website is. A. Top Score Display At the very top, you see three things: Score: Your points Status: "Poor," "Fair," or "Good. " Percentage: The amount of safety you have right now. B. Top Recommendations and More Security Features By adjusting these settings, you can improve your score C. Footer A close button to go back to the main screen Issue Counters and Critical Threats Near the "Security Score," there are four important signs that help you prioritize your actions: Issues Found It shows recommendations or vulnerabilities that are not currently active threats but pose a risk if left unaddressed. Critical Threats This counts the number of immediate, high-risk dangers currently detected on your site. Outdated Plugins The number shows how many of your installed plugins are currently running on old versions Failed Logins It counts how many times someone tried to log in to your website recently but failed to access it. Site Health This section shows your website's overall health WP Health: It depends on PHP version, security scans, and system configuration. SSL: This checks if your site has a security certificate. Response: This tracks how quickly your site starts loading. File Integrity This section acts like a security guard. It monitors WordPress's core files. The purple button will show you exactly which file is different. You can then see if it is a safe change or if you need to delete it to protect your site "View Results" Button This screen appears after clicking the View Results button. It scans a detailed report on any files that have been changed, added, or removed from your WordPress installation. Scan Summary At the top of the page, you will see a quick summary of the findings based on the scan time. Modified: It indicates that if any modified file has been detected Missing: It shows that if any files are missing Unknown: It indicates if there are any unfamiliar files. Total issues: The sum of all issues found. Important Note You will see a yellow notification box on this screen. Not all modified files are malicious. Sometimes, changes are made by legitimate plugins or themes you installed. Check 'Unknown' files to ensure they belong to a trusted plugin. If they aren't recognized, investigate or delete them File List Details A list displays the specific files that triggered the alert. Finding any specific files from the search box can save time. File Name: Shows the file Status: Indicates the type of change. Risk: Indicates the threat level. Size: Shows the size of the file  Action Buttons At the bottom of the screen, you have three options: Export Report: Download your scan report. Rescan: Run rescan to update your results after fixing or deleting files Close: Click this to return to the main Dashboard Bottom Cards Failed Login Attempts This counts how many times incorrect credentials were entered in the last 24 hours. Login Attempts This section shows recent login activity. It lists both successful and failed attempts. Each record includes the time and IP address used. Plugin Updates This section shows any available updates for your plugins. Critical Threats This section displays critical security threats found on your website. Quick Action This section provides easy access to the most important security features of your WordPress site. These are common security tasks that you can set up quickly with just a few clicks. Enable 2FA Adds an extra layer of security to your login process Requires a second verification step when logging in Click "Configure" to set up two-factor authentication Brute Force Protection Blocks repeated login attempts from suspicious sources Prevents automated password guessing attacks Click "Configure" to enable this protection Limit Login Attempts Restricts the number of failed login tries Helps prevent brute force attacks on your login page Click "Configure" to set your preferred limits Hide Login URL Changes the default WordPress login path (wp-login. php) Makes it harder for attackers to find your login page Click "Configure" to set a custom login URL Disable File Editing Prevents unauthorized changes to your theme and plugin files Adds an extra security layer to your site's core files Click "Configure" to enable this protection Each action has a "Configure" button that will take you to the specific settings page where you can customize that security feature according to your needs. These quick actions help you strengthen your site's security without needing to navigate through multiple menus. Security Recommendations This section shows important security improvements for your WordPress site. The plugin analyzes your current security setup and recommends actions to make your site more secure. How to Use Click the Fix button next to any uncompleted recommendation to set it up. Each fix guides you through the configuration process. As you complete recommendations, the progress bar and completion count will update automatically. --- - Published: 2026-01-25 - Modified: 2026-01-25 - URL: https://docs.wpultimatesecurity.com/docs/getting-started/system-requirements/ - Docs Categories: Getting Started - Docs Tags: Beginner Before installing WP Ultimate Security, please ensure your server meets the following minimum requirements: WordPress Version: 5. 8 or greater PHP Version: 8. 1 or greater --- ---