Security Hardener

HSTS is disabled by default and should only be enabled if your entire site uses HTTPS.
Does this plugin slow down my site?
No. The plugin uses lightweight WordPress hooks and native functions. Security headers add negligible overhead, and rate limiting only checks transients during login attempts.
I use a CDN or proxy (Cloudflare, etc.). How do I get the correct IP?
By default, rate limiting uses REMOTE_ADDR. If behind a trusted proxy, add this to wp-config.php:

define('WPSH_TRUSTED_PROXIES', array(
'173.245.48.0', // Example: Cloudflare IP range
// Add your proxy IPs here
));

The plugin will then check HTTP_CF_CONNECTING_IP (Cloudflare) or HTTP_X_FORWARDED_FOR headers.
What headers does this plugin add?
When security headers are enabled:
* X-Frame-Options: SAMEORIGIN
* X-Content-Type-Options: nosniff
* Referrer-Policy: strict-origin-when-cross-origin
* Permissions-Policy: geolocation=(), microphone=(), camera=()

When HSTS is enabled (HTTPS only):
* Strict-Transport-Security: max-age=31536000; includeSubDomains (configurable)
Does the plugin work with page caching?
Yes. Security headers are sent at the PHP level before caching. However, if you use aggressive server-level caching, you may need to configure your cache to allow these headers through.
Can I use this with other security plugins?
Yes, but be careful of conflicts. If another plugin also:
* Sends security headers, you may get duplicates (usually harmless)
* Blocks user enumeration, one should be disabled
* Has login rate limiting, choose one to avoid confusion

This plugin is designed to be lightweight and focused on core WordPress hardening.
What happens to my data when I uninstall?
When you uninstall (not just deactivate) the plugin:
* All plugin settings are deleted
* All security logs are deleted
* All login rate limiting transients are cleared
* Your WordPress installation is returned to its default state

Note: Deactivating the plugin preserves all settings.
Does this block the WordPress REST API?
No. The plugin only secures user-related endpoints by requiring authentication. All other REST API functionality works normally. Public endpoints like oEmbed continue to work.
I'm locked out after too many failed attempts. What do I do?
Failed login blocks expire automatically based on your configured window (default: 15 minutes). Wait for the block period to expire, or:

Access your database (phpMyAdmin, etc.)
Search for options with _transient_wpsh_login_ in the name
Delete those transient options
Try logging in again

Check Settings > Security Hardener for active features
Review the "Recent Security Events" log
Use browser dev tools to inspect HTTP headers
Try accessing /?author=1 (should return 404 if blocking is enabled)
Test failed login attempts to verify rate limiting

Does this plugin require HTTPS?
Not required, but strongly recommended. HSTS features require HTTPS. For maximum security, your entire site should use HTTPS with a valid SSL certificate.
Is this plugin compatible with multisite?
The plugin is designed for single-site installations. Multisite compatibility has not been tested and is not officially supported at this time.