We’re excited to announce automatic HTTP security headers as a new built-in feature in cPFence’s WP-AutoShield module. Now, all WordPress sites on your server will have enhanced security headers applied automatically at the server level—zero configuration required.
WP-AutoShield continues to simplify intelligent WordPress security, offering a comprehensive set of tools designed specifically for hosting providers and VPS owners. This latest feature runs seamlessly alongside existing protections such as:
- Automatic detection of all WordPress installations
- One-click hardening of core WordPress files and directories
- Daily malware scans of all WordPress databases
- Automatic plugin vulnerability detection with email alerts
- Secure file and folder permission enforcement
- Automatic disabling of XML-RPC and pingbacks
- Disabling of file editing from WordPress admin
- Daily reset of secure authentication keys
- Optional CAPTCHA and idle logout protections
- Limit login attempts with ban and cooldown logic
- Disabling risky post content (iframes, embeds, raw JavaScript)
- Renaming default admin usernames
- Optional automatic blacklisted plugin removal
- Optional deployment of custom MU plugins
- Optional removal of caching plugins (except LiteSpeed Cache)
- Optional auto-updates for WordPress core, plugins, and themes
- Automatic database optimization
- Disabling WordPress default cron for improved performance
With the addition of automatic security headers, your sites gain powerful browser-level protection against common web attacks.
Why HTTP Security Headers Matter
HTTP security headers instruct browsers on securely interacting with websites, acting as a critical layer of defense at runtime. They prevent exploitation of vulnerabilities before attackers reach your code—protecting against common threats such as Cross-Site Scripting (XSS), clickjacking, and downgrade attacks.
Security headers are strongly recommended by OWASP and other leading security experts. Hosting providers and VPS owners especially benefit, as client websites are protected automatically, without relying on user awareness or manual intervention.
Security Headers Applied by WP-AutoShield:
Access-Control-Allow-Methods
: limits allowed HTTP methods (GET, POST).Access-Control-Allow-Headers
: defines allowed request headers (Content-Type, Authorization).Cross-Origin-Embedder-Policy
: controls resource embedding.Cross-Origin-Opener-Policy
: prevents cross-origin data leaks.Cross-Origin-Resource-Policy
: specifies allowed origins for loading site resources.Permissions-Policy
: restricts sensitive browser features (camera, geolocation, etc.).Referrer-Policy
: controls referrer information sent to external sites.X-Content-Type-Options
: prevents MIME-type sniffing attacks.X-Frame-Options
: prevents iframe embedding (clickjacking protection).X-Permitted-Cross-Domain-Policies
: disables legacy Flash policies.
Additionally, for HTTPS sites, WP-AutoShield enforces:
Content-Security-Policy
: upgrades all requests to HTTPS.Strict-Transport-Security (HSTS)
: enforces HTTPS connections long-term.X-Content-Security-Policy
: legacy header for older browsers.
These headers require no manual coding or plugins—they’re applied transparently at the server level.
Test Your Security Headers Instantly
To start benefiting immediately, simply upgrade cPFence to version 3.3.60 or higher. WP-AutoShield applies these headers automatically each day at 6:10 AM. To trigger a manual run immediately, execute:
/opt/cpfence/app/wpautoshield/cpfautoshield
Once activated, use securityheaders.com to verify your headers instantly. This free tool scans your website, clearly grading your site’s security headers from F to A+. Remember to clear cache plugins or append ?nocache=1
to your URL for accurate results.
Demonstrate to your clients how your hosting stands apart with secure-by-design solutions. Let them visually see the immediate improvement in security posture, going from a red “F” to a reassuring green “A+”.
Why Hosting Providers and VPS Owners Benefit
WP-AutoShield requires no client action or complex configuration. With security headers applied automatically, hosting providers and VPS owners experience reduced support burdens, strengthened client trust, and improved overall platform security.
Additional New Features in Version 3.3.60
Forced Plugin Installation Across All Sites
You can now automatically install specific plugins across all client WordPress sites. Simply add the desired plugin slugs into /var/log/cpfenceav/wp-plugin-bundle.txt
, and WP-AutoShield takes care of the rest. A practical example: instantly prevent comment spam server-wide by enforcing the installation of the recommended Forget Spam Comment plugin—one click and you’re done! (This feature is off by default; set autoshield_force_plugin_bundle
in WebUI → System Settings to “on”.)
Automatic LiteSpeed Cache Clearing
Ever woke up to find your site CSS corrupted and the layout broken—only to realize a simple cache clear resolves everything? We’ve experienced that too! WP-AutoShield now offers automatic daily LiteSpeed cache clearing across your entire server cluster, ensuring consistent CSS rendering and site stability.(This feature is off by default; set autoshield_clear_litespeed_cache
in WebUI → System Settings to “on”.)
Ready to see it in action? Get started today with a one-month free trial of cPFence:
No comment