Single-command WordPress security! 🎉

NEW feature in >wp-cli to secure any WordPress instance in just 60 seconds.

It’s 100% free & takes less than a minute to run it.

Thank you for participating and contributing:

T-Systems Logo
InnoLab
IONOS
CLOUDWAYS
CODEABLE
Healthrise
four for business

One command to rule them all đŸ€˜

80% of the attacks to WordPress instances could be mitigated by simply applying common security best practices [1].

wp secure all exactly does that for you. Via wp secure all common best practices are applied proactively, and you are ready to go.

What’s covered by secure all?

The security vulnerabilities identified in 2012 [2] are still the security vulnerabilities of today [1].

wp secure all made it its mission to fix this grievance and make security the defacto standard.

By executing wp secure all security best practices such as:

Fix permissions

Set the correct permissions of all files & directories in your WordPress installation.

Set security headers

We add HSTS (Strict-Transport-Security), X-XSS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy.

Disable file editor

Prevents hackers from using file editor on your WordPress Dashboard.

Prevent PHP execution on sensitive locations

To extend security, you can block direct access to PHP files in plugins, themes, wp-includes and uploads.

Block access to sensitive stuff

Prevent hackers from accessing sensitive files and directories.

And many more …

See the README for an overview of all features.

Why not using a plugin instead?

Security Plugins mitigate some security vulnerabilities, but also introduce new attack vectors. Security researchers show that WordPress Security Plugins are „failing entirely and even the most effective plugins failing to identify significant vulnerabilities“ [3].

wp secure all on the other hand is integrated in the WP CLI tool, passes multiple quality reviews, and fixes common security vulnerabilities without adding additional attack surfaces.


[1]: WORDPRESS.ORG, 2021, „Hardening WordPress“. WordPress.org Forums [online]. 3 May 2021. [Accessed 20 March 2022].

[2]: KOSKINEN, Teemu; et al.; „Quality of WordPress plug-ins: an overview of security and user ratings“. In: 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Confernece on Social Computing. IEEE, 2012. S. 834-837.

[3]: MURPHY, Daniel T.; et al.; „Plugins to detect vulnerable plugins: An empirical assessment of the security scanner plugins for wordpress“. In: 2021 IEEE/ACIS 19th International Conference on Software Engineering Research, Management and Applications (SERA). IEEE, 2021. S. 39-44.

What does secure all not do?

WP CLI Secure is part of the WP CLI and has the single purpose to secure your WordPress instance with one click.


However, it does not provide monitoring and alerting in case of malware injection. Also, WP CLI Secure is not a replacement for the ModSecurity, fail2ban and properly configured web server and firewall rules.

Meet the team

WP CLI Secure is a CLOUDFEST Hackathon 2022 product!

The Team
Igor Hrček

Mint Hosting

Aleksandar Savković

CloudWays

Andreas Biberacher

T-Systems onsite

Matt Biscay

Codeable

Benjamin Burkhardt

T-Systems onsite

Zvoni
Zvonimir Artić

IONOS SE

Jan-Willem Oostendrop

Codeable

Thomas Stauer

4fb GmbH

Lucio Sa

Codeable

Dwayne Sharp

Health Rise GmbH

> wp-cli secure all

CLOUDFEST Hackathon

wp-cli secure all  © 2022 Made with Love within 48 hours