Hack Halt Inc.
Hack Halt Security 2.x Knowledge Base
Operator guide and complete settings map for every major Security 2.x section, module, and control surface.
Quick Start: Turn These On First
Apply this baseline first on new installs, then use the section map below for deeper tuning.
-
Enable MFA for privileged roles
Turn on:
mfa_enabled,mfa_enforce_rolesRecommended: mfa_enabled = on; mfa_enforce_roles = administrator, editor
MFA is one of the highest-impact controls against account takeover.
Where: Settings & Tools -> Security Controls -> Multifactor policy.
-
Set the core runtime baseline
Turn on:
mode,log_admin,omit_owner_traffic_loggingRecommended: mode = guarded; log_admin = on; omit_owner_traffic_logging = on
Guarded mode plus clean telemetry gives protection and useful investigations without high break risk.
Where: Settings & Tools -> Security Controls.
-
Turn on portal hardening essentials
Turn on:
lockdown_enabled,disable_xmlrpc,disable_file_editor,disable_user_enum,disable_rest_user_enumRecommended: all enabled
These remove common WordPress attack paths and reduce recon opportunities quickly.
Where: Settings & Tools -> Portal settings.
-
Move admin off default URLs
Turn on:
custom_admin_url_enabled,custom_admin_slugRecommended: custom_admin_url_enabled = on; custom_admin_slug = unique private slug
Hiding predictable admin/login routes cuts automated attack pressure.
Where: Settings & Tools -> Portal settings.
-
Enable intrusion prevention
Turn on:
ips_enabled,ips_score_threshold,ips_block_minutesRecommended: ips_enabled = on; keep defaults for threshold and block window at first
IPS gives continuous behavior-based blocking against brute-force and abuse spikes.
Where: Hack Halt -> Intrusion Protection -> Settings.
-
Enable threat intel feed enforcement (licensed)
Turn on:
threat_intel_enabled,threat_intel_auto_sync,threat_intel_actionRecommended: threat_intel_enabled = on; auto_sync = on; action = block
Known bad indicators should be denied early and kept fresh automatically.
Where: Hack Halt -> Firewall Policies -> Threat Intel Feeds.
-
Enable honeypot deception + auto-block (premium)
Turn on:
honeypot_enabled,honeypot_auto_block,honeypot_email_alertsRecommended: all enabled
Deception catches hostile probing early and stops repeat offenders faster.
Where: Hack Halt -> Live Traffic -> Honeypots.
-
Turn on continuous scan and drift alerts
Turn on:
scanner_feed_enabled,scanner_daily_scan,fim_enabled,fim_email_alertsRecommended: all enabled (or run weekly manual scans on free tier)
Vulnerability and file-drift coverage catches regressions and compromise signals quickly.
Where: Hack Halt -> Vulnerability Scanner -> Policy and Hack Halt -> File Integrity -> Monitoring Policy.
Safety note:
Only enable private-portal IP restriction after you have confirmed stable office or VPN static IP ranges in your allowlist. custom_admin_ip_restrict_enabled.
Locked Out? Quick Recovery
If a hardening setting blocks you from wp-admin, use this temporary safety switch to get back in and fix settings.
Temporary wp-config.php line:
define('HH_DISABLE_PROTECTION', true);
-
Open your site's wp-config.php file.
-
Add the line below above the "That's all, stop editing!" line.
-
Save the file, then open wp-admin again. Security blocking is temporarily paused.
-
Fix the setting that locked you out (usually private admin URL or IP restriction).
-
Remove the line when done so full protection turns back on.
Important: This does not uninstall anything. It only gives you a safe way back into admin while you correct settings.
Dashboard
Executive security posture, attack pressure, recommendations, and trend visibility.
- Security score and posture cards.
- Traffic, blocked ratio, and response KPI tiles.
- Global traffic map and correlated threat signals.
- Recommendations based on scanner, integrity, and runtime telemetry.
Core Engine Controls
Option store: hackhalt_settings
10 keys
Core Engine Controls
Option store: hackhalt_settings
| Setting key | Technical control | Plain-English explanation | What happens if changed | Small business recommended value | Where to configure |
|---|---|---|---|---|---|
mode |
Protection mode
Runtime mode: observe, guarded, or lockdown.
|
This is your global protection dial. It controls how aggressively Hack Halt reacts to suspicious traffic. |
Observe = log only. Guarded = selective blocking around sensitive areas. Lockdown = strict sitewide blocking. |
Guarded
Strong day-to-day protection with lower break-risk than full lockdown.
|
Settings & Tools -> Security Controls. |
log_admin |
Log admin and login traffic
Includes wp-admin/wp-login request telemetry.
|
Plain English: Includes wp-admin/wp-login request telemetry. |
Changing this updates how Hack Halt applies this control at runtime. |
Enabled
You need admin/login visibility for account-attack investigations.
|
Settings & Tools -> Security Controls. |
omit_owner_traffic_logging |
Omit owner traffic
Suppresses admin-self noise in traffic telemetry.
|
Plain English: Suppresses admin-self noise in traffic telemetry. |
Changing this updates how Hack Halt applies this control at runtime. |
Enabled
Keeps telemetry cleaner by reducing self-generated admin noise.
|
Settings & Tools -> Security Controls. |
trust_proxy_headers |
Trust proxy headers
Uses forwarded headers for real visitor IP detection behind CDN/proxy.
|
Use this when your site is behind Cloudflare/CDN/reverse proxy so Hack Halt sees real visitor IPs. |
If off behind a proxy, blocks may target proxy IPs instead of attackers. If on without trusted proxy, IP spoof risk increases. |
Enable only if using Cloudflare/CDN/reverse proxy
Correct real-IP detection behind proxies; unsafe to force on direct-host sites.
|
Settings & Tools -> Security Controls. |
allow_search_crawlers |
Always allow trusted crawlers
Prevents indexing bots from being blocked on public surfaces.
|
Plain English: Prevents indexing bots from being blocked on public surfaces. |
Changing this updates how Hack Halt applies this control at runtime. |
Enabled
Protects SEO indexing while other controls stay active.
|
Settings & Tools -> Security Controls. |
allow_search_crawlers_strict_verify |
Strict crawler verification
Adds reverse/forward DNS validation to crawler trust checks.
|
This is an on/off switch. Adds reverse/forward DNS validation to crawler trust checks. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Disabled initially
Safer compatibility baseline; enable later if crawler spoofing is observed.
|
Settings & Tools -> Security Controls. |
edge_ip_block_enabled |
Mirror manual blocks to .htaccess
Applies manual IP blocklist at Apache edge when writable.
|
This is an on/off switch. Applies manual IP blocklist at Apache edge when writable. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled on Apache (.htaccess writable)
Blocks manual denylist IPs earlier in the request chain.
|
Settings & Tools -> Security Controls. |
debug_log |
Debug logging
Writes additional diagnostics to uploads/hack-halt-logs.
|
Plain English: Writes additional diagnostics to uploads/hack-halt-logs. |
Changing this updates how Hack Halt applies this control at runtime. |
Disabled
Use only when troubleshooting to avoid noisy diagnostic logs.
|
Settings & Tools -> Security Controls. |
log_retention_days |
Log retention days
Days before automatic telemetry pruning; 0 disables pruning.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
30
Good balance of forensic history and DB size.
|
Settings & Tools -> Security Controls. |
uninstall_purge_data |
Uninstall purge flag
Controls whether plugin data is removed on uninstall.
|
This is an on/off switch. Controls whether plugin data is removed on uninstall. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Disabled
Prevents accidental loss of security history when removing plugin.
|
Plugins delete flow + DB tools lifecycle. |
Live Traffic (IP Reports)
Real-time request intelligence and response workflow for active incidents.
- Overview runtime and trend widgets.
- Live request stream with filters and quick actions.
- Incident command chains for repeated hostile activity.
- Honeypot telemetry and deception controls (premium gate aware).
Honeypot Deception
Option store: hackhalt_settings
3 keys
Honeypot Deception
Option store: hackhalt_settings
| Setting key | Technical control | Plain-English explanation | What happens if changed | Small business recommended value | Where to configure |
|---|---|---|---|---|---|
honeypot_enabled |
Enable deception module
Activates decoy responses and honeypot signal collection.
|
This is an on/off switch. Activates decoy responses and honeypot signal collection. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled (if premium)
Captures attacker behavior early and improves incident visibility.
|
Live Traffic -> Honeypots. |
honeypot_email_alerts |
Honeypot email alerts
Sends notifications for honeypot incident creation.
|
This controls where alerts or communication are sent. |
Wrong value means important alerts/reports may go to the wrong inbox or be missed. |
Enabled
Ensures incidents are noticed quickly.
|
Live Traffic -> Honeypots. |
honeypot_auto_block |
Auto-block on honeypot ticket
Automatically blocks hostile IPs when honeypot incident chains trigger.
|
This is an on/off switch. Automatically blocks hostile IPs when honeypot incident chains trigger. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
Stops repeated probes faster once deception triggers.
|
Live Traffic -> Honeypots. |
Firewall Policies
IP lists, country controls, and premium threat-intelligence policy engine.
- Manual blocklist and allowlist operations.
- Frontend and admin geo access modes with country token selectors.
- Interactive risk map for bulk geo policy edits.
- Threat-intel feed selection, sync cadence, and verification tools.
Geo Country Policy
Option store: hackhalt_settings
6 keys
Geo Country Policy
Option store: hackhalt_settings
| Setting key | Technical control | Plain-English explanation | What happens if changed | Small business recommended value | Where to configure |
|---|---|---|---|---|---|
geo_mode_frontend |
Frontend country mode
Policy strategy for public frontend traffic (all_except or only).
|
This selects a behavior profile for the feature. |
Different modes trade off safety, strictness, and compatibility. |
all_except
Safer default so legitimate global traffic is not accidentally blocked.
|
Firewall Policies -> Country Risk Command. |
geo_allowed_frontend |
Frontend allowed countries
ISO country allow list used by mode logic.
|
This is a list-based control that decides what is included, trusted, blocked, or enforced. |
Items you add become active policy inputs. Items you remove stop influencing decisions. |
Only include what you explicitly trust or need
List controls directly shape access, enforcement, and noise levels.
|
Firewall Policies -> Country Risk Command. |
geo_blocked_frontend |
Frontend blocked countries
ISO country deny list used by mode logic.
|
This is a list-based control that decides what is included, trusted, blocked, or enforced. |
Items you add become active policy inputs. Items you remove stop influencing decisions. |
Only include what you explicitly trust or need
List controls directly shape access, enforcement, and noise levels.
|
Firewall Policies -> Country Risk Command. |
geo_mode_admin |
Login/admin country mode
Policy strategy for wp-login/wp-admin traffic.
|
This selects a behavior profile for the feature. |
Different modes trade off safety, strictness, and compatibility. |
only
Restrict admin/login access to your operating countries.
|
Firewall Policies -> Country Risk Command. |
geo_allowed_admin |
Login/admin allowed countries
ISO allow list for admin/login access policy.
|
This is a list-based control that decides what is included, trusted, blocked, or enforced. |
Items you add become active policy inputs. Items you remove stop influencing decisions. |
Only include what you explicitly trust or need
List controls directly shape access, enforcement, and noise levels.
|
Firewall Policies -> Country Risk Command. |
geo_blocked_admin |
Login/admin blocked countries
ISO block list for admin/login access policy.
|
This is a list-based control that decides what is included, trusted, blocked, or enforced. |
Items you add become active policy inputs. Items you remove stop influencing decisions. |
Only include what you explicitly trust or need
List controls directly shape access, enforcement, and noise levels.
|
Firewall Policies -> Country Risk Command. |
Threat Intelligence Feeds
Option store: hackhalt_settings
10 keys
Threat Intelligence Feeds
Option store: hackhalt_settings
| Setting key | Technical control | Plain-English explanation | What happens if changed | Small business recommended value | Where to configure |
|---|---|---|---|---|---|
threat_intel_enabled |
Enable threat intelligence
Turns feed matching and enforcement path on when licensed.
|
This is an on/off switch. Turns feed matching and enforcement path on when licensed. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled (if licensed)
Adds high-signal threat IP intelligence to perimeter decisions.
|
Firewall Policies -> Threat Intel Feeds. |
threat_intel_auto_sync |
Automatic feed refresh
Runs scheduled sync jobs based on refresh interval.
|
This is an on/off switch. Runs scheduled sync jobs based on refresh interval. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
Keeps indicators current without manual refresh burden.
|
Firewall Policies -> Threat Intel Feeds. |
threat_intel_action |
Threat match action
Either block immediately or observe-only logging.
|
What to do when an IP matches a known threat feed. |
Block = stop traffic immediately. Observe = allow traffic but log matches for review. |
block
Immediate deny is preferred for known bad indicators.
|
Firewall Policies -> Threat Intel Feeds. |
threat_intel_refresh_hours |
Refresh interval hours
How frequently selected feeds are refreshed.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
6
Frequent enough for freshness without excessive churn.
|
Firewall Policies -> Threat Intel Feeds. |
threat_intel_max_indicators_per_feed |
Per-feed indicator cap
Safety cap for stored indicators per feed source.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
15000
Solid coverage while keeping local dataset size manageable.
|
Firewall Policies -> Threat Intel Feeds. |
threat_intel_selected_feeds |
Selected feed keys
Exact feed IDs chosen for sync and matching.
|
This is a list-based control that decides what is included, trusted, blocked, or enforced. |
Items you add become active policy inputs. Items you remove stop influencing decisions. |
Select all high-confidence curated feeds
Maximizes protection coverage with lower false-positive risk.
|
Firewall Policies -> Threat Intel Feeds. |
threat_intel_abuseipdb_api_key |
AbuseIPDB API key
Optional provider credential when gated feeds require it.
|
This stores a credential key used to connect to licensed or provider-backed services. |
If missing/invalid, related premium or provider features will stay disabled or fail validation. |
Enter your valid production key
Empty/invalid credentials keep the related feature locked or inactive.
|
Firewall Policies -> Threat Intel Feeds. |
threat_intel_otx_api_key |
AlienVault OTX API key
Optional provider credential when gated feeds require it.
|
This stores a credential key used to connect to licensed or provider-backed services. |
If missing/invalid, related premium or provider features will stay disabled or fail validation. |
Enter your valid production key
Empty/invalid credentials keep the related feature locked or inactive.
|
Firewall Policies -> Threat Intel Feeds. |
threat_intel_license_key |
Premium license key
Stored entitlement key used for server validation.
|
Your premium entitlement key used to unlock feed controls. |
Invalid or missing key keeps premium feed operations locked. |
Enter your valid production key
Empty/invalid credentials keep the related feature locked or inactive.
|
Settings & Tools -> License tab. |
threat_intel_selected_feeds_marker |
Feed marker flag
Internal helper used to detect explicit feed selection submissions.
|
This is a list-based control that decides what is included, trusted, blocked, or enforced. |
Items you add become active policy inputs. Items you remove stop influencing decisions. |
Only include what you explicitly trust or need
List controls directly shape access, enforcement, and noise levels.
|
Internal save marker (auto-managed). |
Intrusion Protection
Behavioral scoring, signature controls, and adaptive temporary block enforcement.
- Dashboard tab for IPS event flow and pressure.
- Signatures tab for per-rule enable/observe/score tuning.
- Settings tab for global thresholds and lock windows.
- Operational event history with reason labels and action outcomes.
Intrusion Protection Engine
Option store: hackhalt_settings
7 keys
Intrusion Protection Engine
Option store: hackhalt_settings
| Setting key | Technical control | Plain-English explanation | What happens if changed | Small business recommended value | Where to configure |
|---|---|---|---|---|---|
ips_enabled |
Enable IPS engine
Turns intrusion scoring and signature enforcement on.
|
This is an on/off switch. Turns intrusion scoring and signature enforcement on. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
Core intrusion scoring should run continuously.
|
Intrusion Protection -> Settings. |
ips_requests_per_minute |
Rate limit threshold
Requests-per-minute threshold used in scoring.
|
Plain English: Requests-per-minute threshold used in scoring. |
Changing this updates how Hack Halt applies this control at runtime. |
120
Balanced baseline for typical SMB WordPress traffic.
|
Intrusion Protection -> Settings. |
ips_rate_limit_score |
Rate-limit score weight
Score contribution when rate threshold is exceeded.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
8
Good pressure weighting without over-penalizing short spikes.
|
Intrusion Protection -> Settings. |
ips_score_threshold |
Block score threshold
Minimum score required to trigger temporary block.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
12
Reasonable threshold to reduce false blocks while remaining defensive.
|
Intrusion Protection -> Settings. |
ips_block_minutes |
Temporary block duration
Minutes an IP stays blocked after IPS trigger.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
30
Long enough to disrupt automated attacks without excessive lockouts.
|
Intrusion Protection -> Settings. |
ips_login_fail_threshold |
Login fail threshold
Failed login count before temporary block applies.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
5
Common secure baseline for brute-force resistance.
|
Intrusion Protection -> Settings. |
ips_login_window_minutes |
Login fail window
Rolling minute window for login-failure counting.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
10
Captures concentrated credential-stuffing patterns.
|
Intrusion Protection -> Settings. |
Intrusion Signature Tuning
Option store: hackhalt_settings
5 keys
Intrusion Signature Tuning
Option store: hackhalt_settings
| Setting key | Technical control | Plain-English explanation | What happens if changed | Small business recommended value | Where to configure |
|---|---|---|---|---|---|
ips_signature_settings.<signature_key>.enabled |
Signature enabled
Turns an individual signature rule on or off.
|
Plain English: Turns an individual signature rule on or off. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Intrusion Protection -> Signatures. |
ips_signature_settings.<signature_key>.observe_only |
Observe-only signature mode
Logs signature matches without blocking.
|
This selects a behavior profile for the feature. |
Different modes trade off safety, strictness, and compatibility. |
Use safer middle mode first, then tighten after monitoring
Mode changes have broad compatibility and enforcement impact.
|
Intrusion Protection -> Signatures. |
ips_signature_settings.<signature_key>.score |
Signature score weight
Per-signature score contribution to overall IPS decision.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
Use documented default
Tuned defaults reduce false positives unless your traffic profile is unusual.
|
Intrusion Protection -> Signatures. |
ips_signature_settings.<signature_key>.exclude_paths |
Path exclusions
Request paths ignored for a given signature.
|
This is a list-based control that decides what is included, trusted, blocked, or enforced. |
Items you add become active policy inputs. Items you remove stop influencing decisions. |
Only include what you explicitly trust or need
List controls directly shape access, enforcement, and noise levels.
|
Intrusion Protection -> Signatures. |
ips_signature_settings.<signature_key>.exclude_ips |
IP/CIDR exclusions
Trusted source IP ranges excluded for a given signature.
|
Plain English: Trusted source IP ranges excluded for a given signature. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Intrusion Protection -> Signatures. |
Vulnerability Scanner
Definition-driven scans, server-side vulnerability matching, and remediation workflow.
- Overview and live engine visibility.
- Policy tab for schedule, dataset matching, and definition selection.
- Findings tab with severity and remediation paths.
- History tab for previous run results and cleanup controls.
Vulnerability Scanner Policy
Option store: hackhalt_settings
6 keys
Vulnerability Scanner Policy
Option store: hackhalt_settings
| Setting key | Technical control | Plain-English explanation | What happens if changed | Small business recommended value | Where to configure |
|---|---|---|---|---|---|
scanner_daily_scan |
Daily scheduled scan
Enables scheduled scanner execution (premium-gated).
|
This is an on/off switch. Enables scheduled scanner execution (premium-gated). |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled if premium; otherwise run manual weekly
Regular scanning catches regressions early.
|
Vulnerability Scanner -> Policy. |
scanner_feed_enabled |
Server vulnerability matching
Enables Hack Halt server dataset lookup during scans.
|
This is an on/off switch. Enables Hack Halt server dataset lookup during scans. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
Ensures installed software is matched against known vulnerability intelligence.
|
Vulnerability Scanner -> Policy. |
scanner_feed_refresh_hours |
Feed refresh interval
Hours between vulnerability dataset refresh checks.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
12
Reliable refresh cadence for most SMB patch windows.
|
Vulnerability Scanner -> Policy. |
scanner_feed_max_findings |
Max findings cap
Maximum vulnerability matches returned per run.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
500
Enough room for meaningful output without oversized reports.
|
Vulnerability Scanner -> Policy. |
scanner_include_informational |
Include informational findings
Includes no-CVSS informational rows in results.
|
Plain English: Includes no-CVSS informational rows in results. |
Changing this updates how Hack Halt applies this control at runtime. |
Disabled
Keeps reports focused on actionable risk first.
|
Vulnerability Scanner -> Policy. |
scanner_definitions |
Enabled scanner definitions
Selected definition keys executed in scanner workflows.
|
Selects which scan checks are included when the scanner runs. |
More definitions = broader coverage but longer scan time. |
Only include what you explicitly trust or need
List controls directly shape access, enforcement, and noise levels.
|
Vulnerability Scanner -> Policy. |
CSP
Content Security Policy builder with learning mode, quick discovery scan, and violation logs.
- Module enable and mode selection (learning or enforced).
- Header hardening options including HSTS and Referrer-Policy.
- Directive source lists with per-directive tuning.
- Quick scan/apply loop and live violation triage queue.
CSP Module Core Settings
Option store: hackhalt_csp_settings
14 keys
CSP Module Core Settings
Option store: hackhalt_csp_settings
| Setting key | Technical control | Plain-English explanation | What happens if changed | Small business recommended value | Where to configure |
|---|---|---|---|---|---|
enabled |
Enable CSP module
Turns CSP header generation on.
|
Master on/off switch for the CSP security header system. |
Off = no CSP headers sent. On = CSP headers are sent based on your policy. |
Enabled
Keeps CSP protections available once policy is tuned.
|
Hack Halt -> CSP -> Policy tab. |
mode |
CSP mode
learning (report-only) or enforce.
|
This chooses whether CSP is testing only or actively blocking browser content. |
Learning mode reports violations without breaking pages. Enforce mode blocks disallowed scripts/styles. |
learning (start), then enforce after review
Prevents accidental frontend breakage while policy is being tuned.
|
Hack Halt -> CSP -> Policy tab. |
include_admin |
Apply CSP in admin
Applies policy on wp-admin pages.
|
This is an on/off switch. Applies policy on wp-admin pages. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Disabled initially
Admin screens often need extra sources; phase this in after testing.
|
Hack Halt -> CSP -> Policy tab. |
include_login |
Apply CSP on login page
Applies policy on login endpoint.
|
This is an on/off switch. Applies policy on login endpoint. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
Login page is high-risk and usually simpler to secure.
|
Hack Halt -> CSP -> Policy tab. |
reporting_enabled |
Violation reporting
Enables report-uri style telemetry endpoint behavior.
|
This is an on/off switch. Enables report-uri style telemetry endpoint behavior. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
Reporting helps tune CSP safely before strict enforcement.
|
Hack Halt -> CSP -> Policy tab. |
security_headers_enabled |
Security headers bundle
Enables companion response security headers.
|
This is an on/off switch. Enables companion response security headers. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
Companion security headers add defense-in-depth with low effort.
|
Hack Halt -> CSP -> Policy tab. |
hsts_enabled |
HSTS enabled
Sends Strict-Transport-Security header.
|
This is an on/off switch. Sends Strict-Transport-Security header. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled (HTTPS-only sites)
Forces secure transport and prevents downgrade attacks.
|
Hack Halt -> CSP -> Policy tab. |
hsts_max_age |
HSTS max-age
HSTS max-age seconds value (0-63072000).
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
31536000
Industry-standard one-year baseline for stable HTTPS sites.
|
Hack Halt -> CSP -> Policy tab. |
hsts_include_subdomains |
HSTS include subdomains
Adds includeSubDomains to HSTS.
|
This is an on/off switch. Adds includeSubDomains to HSTS. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled only if all subdomains are HTTPS-ready
Can break subdomains that still serve non-HTTPS content.
|
Hack Halt -> CSP -> Policy tab. |
hsts_preload |
HSTS preload
Adds preload token when using preload program requirements.
|
This is an on/off switch. Adds preload token when using preload program requirements. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Disabled unless preload requirements are fully met
Preload is hard to roll back and should be intentional.
|
Hack Halt -> CSP -> Policy tab. |
x_content_type_options_enabled |
X-Content-Type-Options
Sends nosniff header when enabled.
|
This is an on/off switch. Sends nosniff header when enabled. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
Low-risk hardening against MIME-type confusion.
|
Hack Halt -> CSP -> Policy tab. |
referrer_policy_enabled |
Referrer-Policy enabled
Enables configurable referrer policy header.
|
This is an on/off switch. Enables configurable referrer policy header. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
Limits metadata leakage to external sites.
|
Hack Halt -> CSP -> Policy tab. |
referrer_policy |
Referrer policy mode
Selected referrer policy value.
|
This selects a behavior profile for the feature. |
Different modes trade off safety, strictness, and compatibility. |
strict-origin-when-cross-origin
Strong privacy with good analytics compatibility.
|
Hack Halt -> CSP -> Policy tab. |
scanner_max_urls |
Quick scan max URLs
Crawl depth cap for CSP quick discovery scan.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
18
Good quick-scan depth for SMB sites without long crawls.
|
Hack Halt -> CSP -> Quick Scan tab. |
CSP Directives
Option store: hackhalt_csp_settings
14 keys
CSP Directives
Option store: hackhalt_csp_settings
| Setting key | Technical control | Plain-English explanation | What happens if changed | Small business recommended value | Where to configure |
|---|---|---|---|---|---|
directives.default-src |
Directive source list
Allowed sources for default-src. Keep lists strict and explicit.
|
Plain English: Allowed sources for default-src. Keep lists strict and explicit. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Hack Halt -> CSP -> Policy directives. |
directives.script-src |
Directive source list
Allowed sources for script-src. Keep lists strict and explicit.
|
Plain English: Allowed sources for script-src. Keep lists strict and explicit. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Hack Halt -> CSP -> Policy directives. |
directives.style-src |
Directive source list
Allowed sources for style-src. Keep lists strict and explicit.
|
Plain English: Allowed sources for style-src. Keep lists strict and explicit. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Hack Halt -> CSP -> Policy directives. |
directives.img-src |
Directive source list
Allowed sources for img-src. Keep lists strict and explicit.
|
Plain English: Allowed sources for img-src. Keep lists strict and explicit. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Hack Halt -> CSP -> Policy directives. |
directives.font-src |
Directive source list
Allowed sources for font-src. Keep lists strict and explicit.
|
Plain English: Allowed sources for font-src. Keep lists strict and explicit. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Hack Halt -> CSP -> Policy directives. |
directives.connect-src |
Directive source list
Allowed sources for connect-src. Keep lists strict and explicit.
|
Plain English: Allowed sources for connect-src. Keep lists strict and explicit. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Hack Halt -> CSP -> Policy directives. |
directives.frame-src |
Directive source list
Allowed sources for frame-src. Keep lists strict and explicit.
|
Plain English: Allowed sources for frame-src. Keep lists strict and explicit. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Hack Halt -> CSP -> Policy directives. |
directives.media-src |
Directive source list
Allowed sources for media-src. Keep lists strict and explicit.
|
Plain English: Allowed sources for media-src. Keep lists strict and explicit. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Hack Halt -> CSP -> Policy directives. |
directives.object-src |
Directive source list
Allowed sources for object-src. Keep lists strict and explicit.
|
Plain English: Allowed sources for object-src. Keep lists strict and explicit. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Hack Halt -> CSP -> Policy directives. |
directives.form-action |
Directive source list
Allowed sources for form-action. Keep lists strict and explicit.
|
Plain English: Allowed sources for form-action. Keep lists strict and explicit. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Hack Halt -> CSP -> Policy directives. |
directives.base-uri |
Directive source list
Allowed sources for base-uri. Keep lists strict and explicit.
|
Plain English: Allowed sources for base-uri. Keep lists strict and explicit. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Hack Halt -> CSP -> Policy directives. |
directives.frame-ancestors |
Directive source list
Allowed sources for frame-ancestors. Keep lists strict and explicit.
|
Plain English: Allowed sources for frame-ancestors. Keep lists strict and explicit. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Hack Halt -> CSP -> Policy directives. |
directives.manifest-src |
Directive source list
Allowed sources for manifest-src. Keep lists strict and explicit.
|
Plain English: Allowed sources for manifest-src. Keep lists strict and explicit. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Hack Halt -> CSP -> Policy directives. |
directives.worker-src |
Directive source list
Allowed sources for worker-src. Keep lists strict and explicit.
|
Plain English: Allowed sources for worker-src. Keep lists strict and explicit. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Hack Halt -> CSP -> Policy directives. |
File Integrity
Baseline lifecycle controls, drift alerts, and suspicious file signal workflow.
- Policy controls for scanning, alerting, and upgrade suppression.
- Trusted uploads plugin-path suppression tuning.
- Manual run scan and rebuild baseline controls.
- Alert review tables and suppression event history.
File Integrity Monitoring Policy
Option store: hackhalt_settings
6 keys
File Integrity Monitoring Policy
Option store: hackhalt_settings
| Setting key | Technical control | Plain-English explanation | What happens if changed | Small business recommended value | Where to configure |
|---|---|---|---|---|---|
fim_enabled |
Enable integrity scans
Activates baseline drift scanning lifecycle.
|
This is an on/off switch. Activates baseline drift scanning lifecycle. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
Filesystem drift detection is a high-value compromise signal.
|
File Integrity -> Monitoring Policy. |
fim_auto_rebaseline_upgrade |
Auto-refresh baseline after upgrades
Rebaselines automatically when upgrade windows are detected.
|
Plain English: Rebaselines automatically when upgrade windows are detected. |
Changing this updates how Hack Halt applies this control at runtime. |
Enabled
Reduces false positives during legitimate update windows.
|
File Integrity -> Monitoring Policy. |
fim_email_alerts |
Email drift alerts
Sends alert emails when suspicious drift is detected.
|
This controls where alerts or communication are sent. |
Wrong value means important alerts/reports may go to the wrong inbox or be missed. |
Enabled
Important to receive immediate integrity alerts.
|
File Integrity -> Monitoring Policy. |
fim_alert_email |
Integrity alert recipient
Destination email for integrity alert notifications.
|
This controls where alerts or communication are sent. |
Wrong value means important alerts/reports may go to the wrong inbox or be missed. |
Use a monitored security inbox
Alerts are only useful if someone reliably receives and acts on them.
|
File Integrity -> Monitoring Policy. |
fim_upgrade_grace_minutes |
Upgrade grace window
Suppresses noisy upgrade drift for configured minutes.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
90
Allows normal update churn to settle before alerting.
|
File Integrity -> Monitoring Policy. |
fim_upload_php_trusted_paths |
Trusted uploads plugin paths
Trusted upload executable-path prefixes used for suppression tuning.
|
Trusted upload locations for plugins that legitimately use executable files in uploads. |
Reduces false alerts for known-safe plugins, but over-trusting can hide real abuse in those paths. |
Only known safe plugin upload paths
Minimizes false positives without hiding suspicious unknown paths.
|
File Integrity -> Monitoring Policy. |
Settings & Tools
Cross-module control plane with portal hardening, controls, feedback, license, and docs.
- Portal settings tab for lockdown and private admin URL.
- Security controls tab for core runtime, crawler, proxy, and MFA.
- Feedback tab for bug report pipeline and ticket sync settings.
- License and documentation tabs for premium activation and in-app manual.
Portal Hardening And Lockdown
Option store: hackhalt_settings
14 keys
Portal Hardening And Lockdown
Option store: hackhalt_settings
| Setting key | Technical control | Plain-English explanation | What happens if changed | Small business recommended value | Where to configure |
|---|---|---|---|---|---|
lockdown_enabled |
Global lockdown switch
Turns high-impact lockdown protections on across WordPress attack surfaces.
|
This is an on/off switch. Turns high-impact lockdown protections on across WordPress attack surfaces. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
For small business deployments, secure-by-default toggles should usually stay on.
|
Settings & Tools -> Portal settings. |
disable_xmlrpc |
Disable XML-RPC
Blocks XML-RPC endpoint usage.
|
This is an on/off switch. Blocks XML-RPC endpoint usage. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
For small business deployments, secure-by-default toggles should usually stay on.
|
Settings & Tools -> Portal settings. |
disable_file_editor |
Disable file editor
Disables in-dashboard theme/plugin editor vectors.
|
This is an on/off switch. Disables in-dashboard theme/plugin editor vectors. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
For small business deployments, secure-by-default toggles should usually stay on.
|
Settings & Tools -> Portal settings. |
disable_dir_listing |
Disable directory listing
Applies managed directory-listing suppression rules.
|
This is an on/off switch. Applies managed directory-listing suppression rules. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
For small business deployments, secure-by-default toggles should usually stay on.
|
Settings & Tools -> Portal settings. |
disable_comments_global |
Disable comments globally
Removes comment surfaces and capabilities site-wide.
|
This is an on/off switch. Removes comment surfaces and capabilities site-wide. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
For small business deployments, secure-by-default toggles should usually stay on.
|
Settings & Tools -> Portal settings. |
disable_user_enum |
Block user enumeration
Reduces account discovery via common query vectors.
|
Plain English: Reduces account discovery via common query vectors. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Settings & Tools -> Portal settings. |
disable_rest_user_enum |
Block REST user enumeration
Restricts user listing through REST endpoints.
|
Plain English: Restricts user listing through REST endpoints. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Settings & Tools -> Portal settings. |
custom_admin_url_enabled |
Private admin URL enabled
Activates custom portal route instead of default admin aliases.
|
This is an on/off switch. Activates custom portal route instead of default admin aliases. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
Hides default WordPress login/admin paths from common automated attacks.
|
Settings & Tools -> Portal settings. |
custom_admin_slug |
Private portal slug
Custom path for admin access route.
|
Your private admin path. This is the hidden URL admins use instead of default login/admin paths. |
Changing it moves your admin entrance. Use a memorable but private slug and share only with trusted admins. |
Unique private slug (example: hh-portal-2026)
Predictable slugs are easier to guess; use a private route.
|
Settings & Tools -> Portal settings. |
custom_admin_ip_restrict_enabled |
Private portal IP restriction
Requires source IP/CIDR to match allowlist for portal access.
|
Locks the private admin URL so only approved IP addresses can open it. |
Very strong protection, but can lock you out if your IP changes and is not in the allowlist. |
Disabled unless you have stable office/VPN static IP
Excellent control, but dynamic IP changes can lock admins out.
|
Settings & Tools -> Portal settings. |
custom_admin_ip_allowlist |
Portal IP allowlist
Allowed static IPs/CIDR ranges for portal access.
|
List of approved IPs/CIDR ranges that can access your private admin portal. |
Only listed IPs can enter. Keep this updated if office/VPN/residential IPs change. |
Office/VPN static IPs or CIDR ranges only
Keeps portal reachable only from trusted networks.
|
Settings & Tools -> Portal settings. |
portal_ip_restrict_add_current_ip |
Include current IP helper
Temporary helper checkbox used during save to add detected IP.
|
Plain English: Temporary helper checkbox used during save to add detected IP. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Settings & Tools -> Portal settings (save-time helper). |
portal_ip_restrict_ack_static |
Static IP acknowledgement
Safety acknowledgement required before enabling portal IP restriction.
|
Plain English: Safety acknowledgement required before enabling portal IP restriction. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Settings & Tools -> Portal settings (save-time helper). |
portal_ip_restrict_ack_lockout |
Lockout acknowledgement
Confirms operator understands lockout risk before enabling IP guard.
|
Plain English: Confirms operator understands lockout risk before enabling IP guard. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Settings & Tools -> Portal settings (save-time helper). |
MFA Policy
Option store: hackhalt_settings
2 keys
MFA Policy
Option store: hackhalt_settings
| Setting key | Technical control | Plain-English explanation | What happens if changed | Small business recommended value | Where to configure |
|---|---|---|---|---|---|
mfa_enabled |
Enable MFA module
Turns Google Authenticator MFA enforcement on.
|
This is an on/off switch. Turns Google Authenticator MFA enforcement on. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
MFA is one of the highest-impact controls against account takeover.
|
Settings & Tools -> Security Controls -> Multifactor policy. |
mfa_enforce_roles |
MFA-enforced roles
Role keys that require MFA enrollment and code challenge.
|
Which user roles must pass Google Authenticator MFA at login. |
Broader role coverage improves security but requires more users to complete MFA setup. |
administrator, editor
Covers high-privilege roles while limiting rollout friction.
|
Settings & Tools -> Security Controls -> Multifactor policy. |
Feedback Settings
Option store: hackhalt_settings
2 keys
Feedback Settings
Option store: hackhalt_settings
| Setting key | Technical control | Plain-English explanation | What happens if changed | Small business recommended value | Where to configure |
|---|---|---|---|---|---|
feedback_screenshot_max_mb |
Screenshot size limit
Max upload size (MB) for bug-report screenshots.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
2
Large enough for clear evidence while controlling upload abuse.
|
Settings & Tools -> Feedback. |
feedback_ticket_retention_days |
Ticket history retention
Days to keep synced feedback ticket history locally.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
45
Keeps recent support history without excessive data growth.
|
Settings & Tools -> Feedback. |
Setup Wizard
Guided onboarding flow that writes module policies in a safe operational order.
- MFA policy and enrollment kickoff.
- Portal hardening and optional IP guard safety gates.
- Geo policy starter configuration.
- Scanner, File Integrity, and CSP first-run setup actions.
Setup Wizard Payload Keys
Option store: hh_setup (wizard request payload)
25 keys
Setup Wizard Payload Keys
Option store: hh_setup (wizard request payload)
| Setting key | Technical control | Plain-English explanation | What happens if changed | Small business recommended value | Where to configure |
|---|---|---|---|---|---|
mfa_enabled |
Wizard MFA enable
Wizard step writes MFA module state.
|
This is an on/off switch. Wizard step writes MFA module state. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
For small business deployments, secure-by-default toggles should usually stay on.
|
Setup Wizard -> MFA step. |
mfa_enforce_roles |
Wizard MFA roles
Wizard role selection for MFA enforcement.
|
This is a list-based control that decides what is included, trusted, blocked, or enforced. |
Items you add become active policy inputs. Items you remove stop influencing decisions. |
Only include what you explicitly trust or need
List controls directly shape access, enforcement, and noise levels.
|
Setup Wizard -> MFA step. |
custom_admin_url_enabled |
Wizard portal URL enable
Wizard enables private admin portal routing.
|
This is an on/off switch. Wizard enables private admin portal routing. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
For small business deployments, secure-by-default toggles should usually stay on.
|
Setup Wizard -> Portal URL step. |
custom_admin_slug |
Wizard portal slug
Wizard private portal slug value.
|
This is a URL-friendly path value used to route traffic to a specific protected area. |
Changing it changes where traffic is routed. Update bookmarks and internal docs after changes. |
Set a unique private slug and document it internally
Predictable slugs reduce the security benefit of hidden endpoints.
|
Setup Wizard -> Portal URL step. |
custom_admin_ip_restrict_enabled |
Wizard portal IP guard
Wizard toggle for private portal IP restriction.
|
This is an on/off switch. Wizard toggle for private portal IP restriction. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
For small business deployments, secure-by-default toggles should usually stay on.
|
Setup Wizard -> Portal URL step. |
custom_admin_ip_allowlist |
Wizard portal allowlist
Wizard allowlist rows for portal guard.
|
This is a list-based control that decides what is included, trusted, blocked, or enforced. |
Items you add become active policy inputs. Items you remove stop influencing decisions. |
Only include what you explicitly trust or need
List controls directly shape access, enforcement, and noise levels.
|
Setup Wizard -> Portal URL step. |
portal_ip_restrict_add_current_ip |
Wizard add current IP
Wizard helper to append current IP at save.
|
Plain English: Wizard helper to append current IP at save. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Setup Wizard -> Portal URL step. |
portal_ip_restrict_ack_static |
Wizard static-IP acknowledgement
Wizard safety confirmation for static IP expectation.
|
Plain English: Wizard safety confirmation for static IP expectation. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Setup Wizard -> Portal URL step. |
portal_ip_restrict_ack_lockout |
Wizard lockout acknowledgement
Wizard safety confirmation for lockout awareness.
|
Plain English: Wizard safety confirmation for lockout awareness. |
Changing this updates how Hack Halt applies this control at runtime. |
Use plugin default
Defaults are a safe starting point for small-business deployments.
|
Setup Wizard -> Portal URL step. |
geo_mode_frontend / geo_allowed_frontend / geo_blocked_frontend |
Wizard frontend geo policy
Wizard frontend country mode and country lists.
|
This is a grouped wizard shortcut that writes several related settings together. |
Changing this in the wizard updates multiple controls in one step. |
Use wizard defaults, then review each underlying setting in module pages
Grouped wizard keys are shortcuts, not long-term fine-tuning controls.
|
Setup Wizard -> Geo Policy step. |
geo_mode_admin / geo_allowed_admin / geo_blocked_admin |
Wizard admin geo policy
Wizard login/admin country mode and country lists.
|
This is a grouped wizard shortcut that writes several related settings together. |
Changing this in the wizard updates multiple controls in one step. |
Use wizard defaults, then review each underlying setting in module pages
Grouped wizard keys are shortcuts, not long-term fine-tuning controls.
|
Setup Wizard -> Geo Policy step. |
scanner_feed_enabled |
Wizard scanner intelligence toggle
Enables server dataset matching for scans.
|
This is an on/off switch. Enables server dataset matching for scans. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
For small business deployments, secure-by-default toggles should usually stay on.
|
Setup Wizard -> Vulnerability Scanner step. |
scanner_definitions |
Wizard scanner definitions
Definition keys selected during setup.
|
This is a list-based control that decides what is included, trusted, blocked, or enforced. |
Items you add become active policy inputs. Items you remove stop influencing decisions. |
Only include what you explicitly trust or need
List controls directly shape access, enforcement, and noise levels.
|
Setup Wizard -> Vulnerability Scanner step. |
scanner_daily_scan |
Wizard daily scanner schedule
Scheduled scan toggle configured in wizard.
|
This is an on/off switch. Scheduled scan toggle configured in wizard. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
For small business deployments, secure-by-default toggles should usually stay on.
|
Setup Wizard -> Vulnerability Scanner step. |
scanner_run_now |
Wizard run scanner now
One-time action trigger for immediate scan.
|
One-time wizard action to immediately run a vulnerability scan. |
Triggers a scan now; it does not permanently toggle scanner policy by itself. |
Enable during onboarding; leave off for normal saves
These are one-time action triggers, not permanent policy states.
|
Setup Wizard -> Vulnerability Scanner step. |
fim_enabled / fim_auto_rebaseline_upgrade / fim_email_alerts |
Wizard file-integrity toggles
Core file-integrity policy fields written by wizard.
|
This is a grouped wizard shortcut that writes several related settings together. |
Changing this in the wizard updates multiple controls in one step. |
Use wizard defaults, then review each underlying setting in module pages
Grouped wizard keys are shortcuts, not long-term fine-tuning controls.
|
Setup Wizard -> File Integrity step. |
fim_alert_email |
Wizard integrity alert email
Alert destination set in wizard.
|
This controls where alerts or communication are sent. |
Wrong value means important alerts/reports may go to the wrong inbox or be missed. |
Use a monitored security inbox
Alerts are only useful if someone reliably receives and acts on them.
|
Setup Wizard -> File Integrity step. |
fim_upgrade_grace_minutes |
Wizard integrity upgrade grace
Upgrade suppression window set in wizard.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
Use documented default
Minute windows are sensitivity controls; defaults are usually tested baselines.
|
Setup Wizard -> File Integrity step. |
fim_build_baseline |
Wizard build baseline now
One-time baseline build action trigger.
|
One-time wizard action to create the initial file-integrity baseline snapshot. |
Creates the comparison reference used for future drift detection. |
Enable during onboarding; leave off for normal saves
These are one-time action triggers, not permanent policy states.
|
Setup Wizard -> File Integrity step. |
fim_run_scan |
Wizard run integrity scan
One-time integrity scan action trigger.
|
This is an on/off switch. One-time integrity scan action trigger. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enable during onboarding; leave off for normal saves
These are one-time action triggers, not permanent policy states.
|
Setup Wizard -> File Integrity step. |
csp_enabled / csp_mode |
Wizard CSP core toggles
CSP module state and mode set by wizard.
|
This is a grouped wizard shortcut that writes several related settings together. |
Changing this in the wizard updates multiple controls in one step. |
Use wizard defaults, then review each underlying setting in module pages
Grouped wizard keys are shortcuts, not long-term fine-tuning controls.
|
Setup Wizard -> CSP step. |
csp_include_admin / csp_include_login |
Wizard CSP scope toggles
Admin/login CSP coverage toggles from wizard.
|
This is a grouped wizard shortcut that writes several related settings together. |
Changing this in the wizard updates multiple controls in one step. |
Use wizard defaults, then review each underlying setting in module pages
Grouped wizard keys are shortcuts, not long-term fine-tuning controls.
|
Setup Wizard -> CSP step. |
csp_reporting_enabled |
Wizard CSP reporting toggle
CSP reporting endpoint behavior from wizard.
|
This is an on/off switch. CSP reporting endpoint behavior from wizard. |
Turning it on activates this protection/behavior. Turning it off disables it completely. |
Enabled
For small business deployments, secure-by-default toggles should usually stay on.
|
Setup Wizard -> CSP step. |
csp_scanner_max_urls |
Wizard CSP scan max URLs
URL cap for wizard quick-scan action.
|
This is a numeric limit/timing value that tunes how sensitive or strict this feature is. |
Higher values usually increase tolerance/volume; lower values usually increase strictness and faster enforcement. |
Use documented default
Tuned defaults reduce false positives unless your traffic profile is unusual.
|
Setup Wizard -> CSP step. |
csp_run_quick_scan |
Wizard CSP quick-scan action
One-time action trigger to run CSP discovery scan.
|
One-time wizard action to run CSP discovery crawl. |
Builds policy suggestions; does not force them live unless you apply/save. |
Enable during onboarding; leave off for normal saves
These are one-time action triggers, not permanent policy states.
|
Setup Wizard -> CSP step. |