Single-command WordPress security! šŸŽ‰

NEW feature in >wp-cli to secure any WordPress instance in just 60 seconds.

Itā€™s 100% free & takes less than a minute to run it.

Thank you for participating and contributing:

T-Systems Logo
four for business

One command to rule them all šŸ¤˜

80% of the attacks to WordPress instances could be mitigated by simply applying common security best practices [1].

wp secure all exactly does that for you. Via wp secure all common best practices are applied proactively, and you are ready to go.

What's covered by secure all?

The security vulnerabilities identified in 2012 [2] are still the security vulnerabilities of today [1].

wp secure all made it its mission to fix this grievance and make security the defacto standard.

By executing wp secure all security best practices such as:

Fix permissions

Set the correct permissions of all files & directories in your WordPress installation.

Set security headers

We add HSTS (Strict-Transport-Security), X-XSS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy.

Disable file editor

Prevents hackers from using file editor on your WordPress Dashboard.

Prevent PHP execution on sensitive locations

To extend security, you can block direct access to PHP files in plugins, themes, wp-includes and uploads.

Block access to sensitive stuff

Prevent hackers from accessing sensitive files and directories.

And many more ...

See the README for an overview of all features.

Why not using a plugin instead?

Security Plugins mitigate some security vulnerabilities, but also introduce new attack vectors. Security researchers show that WordPress Security Plugins are ā€žfailing entirely and even the most effective plugins failing to identify significant vulnerabilitiesā€œ [3].

wp secure all on the other hand is integrated in the WP CLI tool, passes multiple quality reviews, and fixes common security vulnerabilities without adding additional attack surfaces.

[1]: WORDPRESS.ORG, 2021, ā€žHardening WordPressā€œ. Forums [online]. 3 May 2021. [Accessed 20 March 2022].

[2]: KOSKINEN, Teemu; et al.; ā€žQuality of WordPress plug-ins: an overview of security and user ratingsā€œ. In: 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Confernece on Social Computing. IEEE, 2012. S. 834-837.

[3]: MURPHY, Daniel T.; et al.; ā€žPlugins to detect vulnerable plugins: An empirical assessment of the security scanner plugins for wordpressā€œ. In: 2021 IEEE/ACIS 19th International Conference on Software Engineering Research, Management and Applications (SERA). IEEE, 2021. S. 39-44.

What does secure all not do?

WP CLI Secure is part of the WP CLI and has the single purpose to secure your WordPress instance with one click.

However, it does not provide monitoring and alerting in case of malware injection. Also, WP CLI Secure is not a replacement for the ModSecurity, fail2ban and properly configured web server and firewall rules.

Meet the team

WP CLI Secure is a CLOUDFEST Hackathon 2022 product!

The Team
Igor Hrček

Mint Hosting

Aleksandar Savković


Andreas Biberacher

T-Systems onsite

Matt Biscay


Benjamin Burkhardt

T-Systems onsite

Zvonimir Artić


Jan-Willem Oostendrop


Thomas Stauer

4fb GmbH

Lucio Sa


Dwayne Sharp

Health Rise GmbH

> wp-cli secure all


wp-cli secure all  Ā© 2022 Made with Love within 48 hours