Block Author Enumeration

  • Prevents access to author archive pages to block username enumeration.
  • Stops visitors from opening ?author= URLs on the frontend — improves security by denying direct exposure of author usernames.

Clickjacking Protection

  • Adds an X-Frame-Options header (SAMEORIGIN or DENY).
  • Prevents your site from being embedded in iframes — stops clickjacking attacks.

Cross-Origin Embedder Policy (COEP)

  • Adds Cross-Origin-Embedder-Policy: require-corp header.
  • Helps isolate your site for advanced security features (e.g., WebAssembly, SharedArrayBuffer).

Cross-Origin Opener Policy (COOP)

  • Adds Cross-Origin-Opener-Policy header (same-origin or same-origin-allow-popups).
  • Improves site isolation and security against cross-origin attacks.

Cross-Origin Resource Policy (CORP)

  • Adds Cross-Origin-Resource-Policy header (same-origin, same-site, or cross-origin).
  • Controls how your site’s resources can be shared or loaded by other origins.

Cross-Site Scripting (XSS) Protection

  • Adds X-XSS-Protection: 1; mode=block
  • Enables basic cross-site scripting protection (mainly for older browsers).

Custom Login Path

  • Replace the default wp-login.php with your own URL.
  • All login attempts must go through your custom path — hides the default WordPress login page.
  • Choose what happens if someone visits the default login URL or /wp-admin without permission.
  • You can show a custom message or redirect visitors to the homepage — improves security and prevents unauthorized access attempts.

Disable File Editor

  • Defines DISALLOW_FILE_EDIT as true.
  • Prevents editing of theme and plugin files from the WordPress admin — reduces risk if an attacker gains access.

Disable REST API for Non-Logged-in Users

  • Blocks REST API access for non-logged-in users.
  • Prevents anonymous visitors from using the WordPress REST API — improves privacy and reduces attack surface.

Global Privacy Control (GPC)

  • Adds Sec-GPC: 1 header.
  • Signals user preference to opt-out of data sharing/tracking — improves privacy compliance.

HTTPS Strict Transport Security (HSTS)

  • Adds Strict-Transport-Security header (1 year, includeSubDomains, preload).
  • Forces browsers to always use HTTPS — protects against protocol downgrade and cookie hijacking.

MIME Sniffing Protection

  • Adds X-Content-Type-Options: nosniff header.
  • Stops browsers from interpreting files as a different MIME type — reduces certain XSS and content-based attacks.

Permissions Policy (Feature Policy)

  • Adds Permissions-Policy header to restrict browser APIs.
  • Disables geolocation, camera, and microphone access — improves user privacy and reduces attack surface.

Referrer Policy - No Referrer

  • Adds Referrer-Policy: no-referrer-when-downgrade header.
  • Controls what information is sent in the Referer header — improves privacy when navigating from HTTPS to HTTP.

Referrer Policy - Strict Mode HTTP Only

  • Adds Referrer-Policy: strict-origin-when-cross-origin header.
  • Limits referrer information sent to other sites — enhances privacy for cross-origin requests.

Remove X-Powered-By Header

  • Removes the X-Powered-By header.
  • Hides the server/technology information — reduces information leakage to potential attackers.

Server Signature Masking

  • Removes the Server header.
  • Hides server software details — minimizes information exposed to potential attackers.

Session Cookie

  • Sets HttpOnly and Secure flags on cookies, and enforces cookie-only sessions.
  • Helps protect session cookies from theft or manipulation — improves overall session security.

X-DNS-Prefetch-Control

  • Adds X-DNS-Prefetch-Control: off header.
  • Prevents browsers from pre-resolving domain names — can slightly improve privacy and reduce unnecessary DNS lookups.