helsingborg-stad / wpmu-security
A WordPress MU Plugin for security enhancements
Installs: 382
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 0
Forks: 0
Open Issues: 0
Type:wordpress-muplugin
Requires
Requires (Dev)
- brain/monkey: ^2.6
- codedungeon/phpunit-result-printer: ^0.31.0
- php-stubs/wordpress-stubs: ^6.8
- phpunit/phpunit: ^9.5
- dev-main
- 1.8.1
- 1.8.0
- 1.7.0
- 1.6.11
- 1.6.10
- 1.6.8
- 1.6.6
- 1.6.5
- 1.6.3
- 1.6.1
- 1.5.0
- 1.4.0
- 1.3.4
- 1.3.3
- 1.3.2
- 1.3.0
- 1.2.0
- 1.1.4
- 1.1.2
- 1.1.1
- 1.1.0
- 1.0.1
- 0.6.4
- 0.6.3
- 0.6.0
- 0.5.8
- 0.5.6
- 0.5.3
- 0.5.1
- 0.4.6
- 0.4.4
- 0.4.2
- 0.4.1
- 0.3.0
- 0.2.1
- 0.1.0
- dev-feat/admin-if
- dev-copilot/fix-6
- dev-fix/do-not-try-to-parse-empty-html-documents
- dev-feat/csp-category
- dev-feat/test-csp
- dev-feat/classification
- dev-feat/adding-comment-restriction
This package is auto-updated.
Last update: 2025-07-08 08:01:34 UTC
README
A lightweight WordPress plugin focused on modern security hardening best practices without unnecessary bloat.
🚀 Features
- ✅ Generic login error messages (prevent user enumeration)
- ✅ Generic password reset responses
- ✅ HTTP Strict Transport Security (HSTS)
- ✅ CORS configuration
- ✅ Subresource Integrity (SRI) for scripts and styles
- ✅ XML-RPC disabling
- ✅ Comment sanitization (anti-XSS)
- ✅ Content Security Policy (CSP)
- ✅ Custom port number support (development environments, custom setups)
⚙️ Configuration
This plugin is designed to be hassle free, however if you like to add domains that are not detected in the content security policy. Please use the following filter:
add_filter( 'WpSecurity/Csp', function ($domains) { if(!isset($domains['connect-src'])) { $domains['connect-src'] = []; } $domains['connect-src'][] = 'https://*.domain.com'; $domains['connect-src'][] = 'https://*.domain.net'; return $domains; } );
🔧 Custom Port Support
The plugin fully supports WordPress installations running on custom ports (e.g., localhost:8080 for development). All security features work correctly with custom ports:
- ✅ CSP headers include port numbers in domain policies
- ✅ CORS headers respect the full URL with port
- ✅ SRI verification works with local assets on custom ports
- ✅ All URL parsing and domain matching handles ports correctly
No additional configuration is needed - the plugin automatically detects and handles custom ports from your WordPress site URL.
For detailed information about custom port support, see CUSTOM_PORTS.md.