Documentazione ScudoWP

ScudoWP is available as a free plugin from WordPress.org or as a premium version from Freemius. Download the free version through your WordPress admin under Plugins > Add New, search for 'ScudoWP', click Install Now, then Activate. Alternatively, download the plugin ZIP file from WordPress.org, go to Plugins > Upload Plugin in your WordPress admin, select the file, click Install Now, and then Activate.

Upon activation, ScudoWP creates its database schema, schedules background scanning jobs, and generates a recovery token that is emailed to your site admin. This token is a one-time-use link that allows you to enter Safe Mode if you ever get locked out of wp-admin. The plugin then automatically applies a secure baseline of safe hardening controls that cannot break your site—these include hiding the WordPress version number, disabling theme and plugin file editing, and enabling security headers.

No manual configuration is required immediately after activation; the plugin works out of the box. You can access the ScudoWP dashboard by going to the WordPress admin menu and clicking the ScudoWP icon to begin reviewing your security score and recommendations.

ScudoWP includes an optional setup wizard that guides you through configuring additional security features beyond the safe baseline. The wizard helps you decide which protections to enable based on your environment. For example, it will explain whether your server supports .htaccess rules, whether your site has a valid SSL certificate (required for HSTS), and whether you have Jetpack active (which affects XML-RPC rules). The wizard never forces you to turn on features that could break your site.

Through the wizard you can configure two-factor authentication (2FA) using TOTP on an authenticator app, enable brute-force protection with login-attempt limits and lockouts, set up the Web Application Firewall (WAF) to block SQL-injection and XSS attacks, and choose password-security policies. Aggressive controls like enforced 2FA for all users or full XML-RPC blocking are left as optional steps in the wizard so you can test them first.

You can return to the setup wizard at any time through the dashboard settings to adjust your choices, enable new modules, or review environment-specific warnings and fallback suggestions.

ScudoWP provides three independent ways to enter Safe Mode, each requiring no WordPress database access. All three temporarily disable all enforcement (the firewall passes through, 2FA is bypassed, security headers are not sent) while keeping the recovery UI reachable so you can carefully undo what went wrong. The first escape route is the recovery token link emailed to your admin email when you activate ScudoWP—simply open it in your browser to enter Safe Mode without needing to log in.

The second route is to define the constant SCUDOWP_SAFE_MODE = true in your wp-config.php file using an SFTP or file-manager client. This activates Safe Mode immediately on the next page load. The third route is to run the WP-CLI command wp scudowp reset from your server terminal, which writes a marker file that ScudoWP checks on startup. All three methods trigger Safe Mode detection before the database is queried, so they work even if the database is offline or corrupted.

When Safe Mode is active, the dashboard displays a prominent warning and a step-by-step recovery guide. You can troubleshoot and disable the problem feature one at a time, then exit Safe Mode. Safe Mode is logged in the activity log so you have a record of when recovery was needed.

ScudoWP automatically inspects your hosting environment and disables features that cannot work on your server setup, rather than silently failing or breaking your site. For example, .htaccess-based protections (like login-URL hiding and uploads-PHP blocking) are only shown as available on servers that support .htaccess and have a writable .htaccess file. On Nginx servers or hosts with immutable filesystems, these controls are marked unavailable with a reason and a fallback suggestion—such as using the generated Nginx configuration snippet instead.

Similarly, HSTS security headers require a valid SSL certificate, so ScudoWP will only offer HSTS if your site already has HTTPS working. If you have Jetpack active, XML-RPC is required for Jetpack to function, so the plugin automatically degrades to selective XML-RPC mode (whitelisting only the methods Jetpack needs) instead of blocking it entirely. The REST endpoint /scudowp/v1/capabilities returns the full capability matrix for every feature, showing availability, severity level, reason if blocked, and documentation links.

You can view the detailed capability report in the dashboard under Settings > Diagnostics. This helps you understand why a feature is unavailable and what you can do about it—upgrade your hosting, request permission changes, or implement the suggested fallback.

ScudoWP includes a free Web Application Firewall that runs early in the WordPress bootstrap process to inspect requests and block common web attacks. The firewall uses deterministic pattern matching to identify unambiguous attack payloads including SQL injection (SQLi), cross-site scripting (XSS), path traversal, local file inclusion, and command injection attempts. Once enabled, any request matching a rule receives a 403 Forbidden response and is logged for audit purposes.

The free WAF includes a conservative built-in rule set targeting high-signal patterns. The rules inspect query parameters, POST data, and other request elements for attack signatures like UNION SELECT statements, basic XSS patterns (<script>, <iframe>, javascript: handlers), traversal sequences (../), system commands, and dangerous PHP functions. Because the firewall aims to block attacks without producing false positives that would lock out legitimate users, rules are deliberately conservative and focus only on unambiguous payloads.

To enable the firewall, navigate to the Firewall tab in ScudoWP and toggle on 'Web Application Firewall'. The setting is opt-in (off by default) and always respects Safe Mode—if Safe Mode is active, the firewall automatically passes all requests through without blocking, ensuring an administrator can never be locked out. Every blocked request is logged in the activity log with details of which rule was triggered.

The firewall never relies on external services or feeds for its core operation; all detection is done locally using built-in rules. In Safe Mode or if the firewall is disabled, the site operates without WAF protection but remains fully accessible, giving you a recovery path if issues ever arise.

Premium subscribers gain access to an advanced WAF rule set that is continuously updated from a live threat-intelligence feed. These rules are cryptographically signed before delivery, ensuring they come from ScudoWP and have not been tampered with in transit. The premium rules cover a much broader spectrum of attack patterns than the free baseline and are kept current as new attack techniques emerge, giving your site protection against the latest threats within hours of discovery.

The premium WAF rules supersede and extend the free rule set. They include signatures for zero-day patterns, obfuscated attack variations, and sophisticated evasion techniques that would only be discovered through active threat intelligence. Rules are maintained as pure data (patterns only, never executable code) and fetched from a signed remote channel, ensuring your security updates happen without requiring a plugin version upgrade.

To use premium rules, first ensure the basic Web Application Firewall is enabled in the Firewall tab. Premium rules are automatically activated if your license is valid and your site has internet connectivity to fetch updates. The plugin manages rule synchronization in the background; you do not need to manually import or manage the rule file. All rule activity—both free and premium—is logged in the activity log for transparency.

Because premium rules are data-only and signed, they carry no risk of executing arbitrary code on your site. If rule delivery fails (network outage, expired license), the firewall falls back to the bundled free rules automatically, ensuring your site remains protected without interruption.

ScudoWP's premium rate limiting feature allows you to enforce request-per-minute caps on API endpoints and login attempts, protecting your site from brute-force attacks, credential-stuffing botnets, and resource-exhaustion denial-of-service attempts. Rate limits are evaluated early in the request pipeline—before database queries or expensive operations—and block requests that exceed the threshold with a 429 Too Many Requests response, while logging each violation.

The rate limiter tracks requests using a rolling time window without requiring a database. It supports APCu (in-memory counters with automatic expiry) when available for maximum performance, and falls back to file-based counters (using atomic file locks) when APCu is unavailable. Both backends are fully featured and transparent to the administrator; the plugin automatically selects the best available method. If neither works (extremely rare edge cases), the limiter fails open and allows the request—rate limiting must never take your site down.

To configure rate limiting, navigate to the Firewall tab and enable 'Advanced rate limiting'. You can set a requests-per-minute threshold that applies to login attempts, API endpoints, or other sensitive operations. The threshold is validated at runtime and logged whenever a client is rate-limited. Because the rate limiter operates without the WordPress database, it works even if a database-level attack is underway, providing defense in depth.

Rate limits are applied per client IP address. If your site is behind a CDN (Cloudflare, for example), be sure to enable the GeoIP & CDN real-IP feature so rate limits track the real client IP instead of the CDN edge IP, ensuring fair enforcement.

With GeoIP blocking, you can restrict access to your site based on the visitor's geographic location. This is useful if your business only operates in specific countries, or if you want to block known high-risk regions. Configure a list of blocked countries in the Firewall tab, and ScudoWP will deny requests from those regions with a 403 Forbidden response. GeoIP data comes from a bundled country-code database, so there are no external lookups required for each request.

If your site uses a CDN like Cloudflare, you also need to enable the CDN real-IP feature. By default, all requests appear to come from the CDN's edge server IP address, not the real visitor's IP. ScudoWP can verify that REMOTE_ADDR belongs to your CDN provider's published IP ranges and, if verified, trust the CDN's country header (for example, Cloudflare's CF-IPCountry header). This ensures GeoIP blocks, rate limits, and IP allowlists are applied against the real client IP, not the CDN edge.

To enable this feature, go to the Firewall tab and toggle on 'GeoIP blocking'. Select your CDN provider (if applicable) from the dropdown list. ScudoWP supports Cloudflare and can be extended to support additional CDN providers. Enter the countries you wish to block by their two-letter ISO code (for example, US, CN, RU). The setting is optional; if GeoIP blocking is disabled, all requests are allowed regardless of location.

Country verification happens on every request using CIDR-range matching against the CDN's published IP ranges. If the request does not come from a known CDN IP, the country header is ignored entirely and the request is allowed—this fail-open design ensures no legitimate traffic is ever wrongly blocked due to misconfiguration. All country blocks are logged in the activity log.

ScudoWP includes a free malware and file-integrity scanner that runs on-demand or on a schedule (via WP-Cron). The scanner performs two complementary checks: a deterministic integrity scan that compares your WordPress core files against the official release checksums, and a heuristic malware scan that examines file content for obfuscation, encoding, and malicious behavior patterns. Both scans are resumable—they process chunks of files, allowing huge sites to scan without timeouts or memory exhaustion.

The integrity scan downloads the official MD5 checksums for your WordPress version from a trusted source and compares them against your installed files. Any file that differs from the official release is flagged as modified (potential compromise or unauthorized change). Missing files are also reported. The scan skips well-known files that legitimately vary (like readme.html and license.txt) so you see only genuinely suspicious findings. If official checksums are unavailable (offline or for a very new release), the scan degrades gracefully rather than failing.

The malware scan uses signature-based detection (known malware patterns), behavior heuristics (obfuscation techniques common in malware), and context clues (PHP files in the uploads directory, publicly-reachable code). Each file receives a score from 0-100; files scoring 70 or higher are marked as malicious, 30-69 as suspicious, and below 30 as clean. The scan reports contributing matches (which signatures/heuristics triggered) so you understand why a file was flagged and can make an informed decision about remediation.

To run a scan, go to the Scanner tab and click 'Scan Now'. Scans run in the background and do not block the WordPress dashboard. For large sites, the scan may take several minutes but will not timeout. Scan results are persisted and visible in the Scanner tab, showing all findings grouped by severity. You can view the scan history to track when scans ran and what was found.

ScudoWP scans your installed plugins, themes, and WordPress core against a bundled vulnerability baseline that lists known, published security advisories. The free tier includes a curated snapshot of advisories for popular extensions, allowing you to identify components with disclosed vulnerabilities that may put your site at risk. The advisory scan also checks the official WordPress.org repository to detect plugins and themes that have not been updated in approximately two years, indicating they are likely abandoned and may have unpatched vulnerabilities.

When you run an advisory scan, ScudoWP matches each installed component (core, plugin, theme) against the vulnerability database. For each match, it reports the severity (critical, high, medium, low), which version the fix is available in, and a reference link for details. Abandoned extensions are flagged separately with a warning that they no longer receive maintenance. The scan is conservative: if the WordPress.org API is unreachable, ScudoWP never wrongly marks an extension as abandoned—it only reports abandonment when it successfully confirms the last update was two years or more ago.

To run an advisory scan, go to the Scanner tab and click 'Scan Now' or look for the Advisories section. The scan contacts the WordPress.org API to check when each plugin and theme was last updated, so it requires an internet connection. Results are displayed immediately and are also stored in the Scanner history. You can export findings for your records or share them with a development team.

The free advisory baseline is updated with each ScudoWP release. If you need more frequent updates (same-day vulnerability intelligence for zero-days and newly disclosed issues), you can upgrade to the premium tier, which includes a live curated threat feed that is continuously synchronized in the background.

Premium subscribers gain access to a live curated vulnerability feed that is maintained by security experts and updated continuously (multiple times per day as new vulnerabilities are discovered and disclosed). This feed supersedes and extends the free bundled baseline, giving you protection against the latest threats within hours of public disclosure, rather than waiting for the next ScudoWP release. The feed is delivered as pure JSON data (never executable code) and is cryptographically signed to ensure authenticity.

The live feed is merged automatically with the bundled free baseline during advisory scans. When an entry in the live feed shares an ID with the baseline (the same vulnerability from multiple sources), the live feed version wins, ensuring you always see the most current information including updated severity ratings, affected version ranges, and fix availability. New vulnerabilities discovered after the last baseline release are delivered via the live feed only.

To enable the live feed, your site must have a valid ScudoWP Pro license and internet connectivity to fetch updates from the remote feed URL. Configuration is automatic; you do not need to manually configure a feed URL unless you are running ScudoWP in an air-gapped environment and have a custom feed provider. The plugin synchronizes the feed in the background and caches it locally, so advisory scans happen instantly even if the feed server is temporarily unavailable.

The live feed provides the same advisory intelligence as the free baseline—vulnerabilities, affected version ranges, fix versions, and severity ratings. The difference is timeliness: free users see vulnerabilities as they are bundled into releases (typically monthly), while Pro users see them as they are discovered (typically the same day a vulnerability is public). This gives your team early warning to plan and execute updates before attackers can exploit widely-known issues.

Two-factor authentication (2FA) adds a second verification layer to user logins. ScudoWP implements RFC 6238 Time-based One-Time Password (TOTP), which is compatible with popular authenticator apps like Google Authenticator, Microsoft Authenticator, Authy, and FreeOTP. Users can enroll themselves without administrator configuration — each user manages their own authenticator secret and backup codes.

To enable 2FA, navigate to ScudoWP → Login security and enable the 'Two-factor authentication (TOTP)' option. Once active, users will see a setup prompt on their profile page. Users scan a QR code with their authenticator app, verify the setup with a 6-digit code, and save backup codes for emergency recovery. Users with 2FA enabled must supply their current 6-digit code at login alongside their password.

The TOTP implementation is dependency-free and requires no external services. The 6-digit codes expire every 30 seconds and tolerates up to one time-step of clock drift (±30 seconds), so minor clock skew between the server and the user's authenticator app does not cause lockouts. Backup codes can be used instead of the authenticator app if the device is lost, and users can re-enroll at any time from their profile.

This premium feature enforces two-factor authentication for chosen user roles (Administrator, Editor, Author, Subscriber) without locking users out. When a user with a role that requires 2FA has not enrolled yet, they see a persistent admin notice prompting them to set up 2FA in ScudoWP → Login security. Once enrolled, the 2FA challenge applies every login.

To configure 2FA enforcement, go to ScudoWP → Login security and enable 'Two-factor enforcement by role'. Select which roles must use 2FA: check any combination of Administrator, Editor, Author, or Subscriber. The 'Remember this device for X days' setting allows users to skip the 2FA challenge on trusted devices for a configured period (default 30 days), improving usability while maintaining security.

Enforcement is deliberately non-blocking — a user who must enable 2FA but has not yet completes their login on their first attempt and is simply reminded to set it up. This prevents accidental lockouts of the last administrator. Once enrolled and enabled, the normal 2FA login flow applies and the user must provide a valid code or backup code to proceed.

Brute-force protection limits and throttles login attempts to slow down credential-guessing attacks. ScudoWP tracks failed login attempts per IP address and enforces a rolling-window lockout: once the maximum number of failed attempts is reached within a time window, that IP cannot log in again until the lockout period expires. The settings are configurable to match your risk tolerance.

Enable and configure brute-force protection in ScudoWP → Login security. Set the maximum number of failed login attempts allowed (default 5) and the lockout duration in minutes (default 15). The 'Block attempts from unknown usernames' option immediately stops login attempts for non-existent usernames, a strong bot signal. The admin-IP allowlist is a critical anti-lockout safeguard: any IP on the allowlist can never be locked out, protecting the legitimate administrator from being blocked by shared office/VPN exit IPs if an attacker on the same network is brute-forcing.

The protection is surface-aware: brute-force attempts over XML-RPC (which can be amplified via system.multicall) are tracked separately from web-login attempts, so abuse of one surface never locks the other. This prevents a shared egress IP from being locked out of the web login if someone is attacking the XML-RPC endpoint. Each failed attempt is logged for audit purposes and can be reviewed in the activity log.

The login CAPTCHA uses a zero-dependency invisible challenge to block automated login bots while never bothering humans. It combines two signals: an off-screen honeypot field that only a fill-every-field bot would trip, and a signed timestamp that rejects submissions arriving faster than a human could plausibly read and type the login form. A human cannot see or interact with either field, and password managers are explicitly excluded from auto-filling the honeypot.

Enable the login CAPTCHA in ScudoWP → Login security by checking 'Login CAPTCHA'. Once active, every login form carries the honeypot and signed timestamp. A rejected bot is shown a user-friendly message: if the form is too old they are asked to reload; if they submitted too fast they are asked to wait. These rejections never feed the brute-force lockout counter, preventing a benign bounce from locking an admin out.

The CAPTCHA is scoped only to the interactive core wp-login.php form. It never affects XML-RPC, REST, application-password authentication, or front-end forms like WooCommerce or Elementor, which carry no CAPTCHA fields. IPs on the admin allowlist are always exempt from the challenge, and Safe Mode disables it to ensure recovery routes always work.

Comment spam protection uses a honeypot and signed time-trap to detect automated comment submissions. The honeypot is a screen-reader-hidden, off-screen field that humans never see but a fill-everything bot trips. The time-trap is a signed token that rejects submissions arriving faster than a human could read and type a comment. Comments flagged as spam are sent to the spam queue for moderation review, never hard-rejected, so real comments are never lost.

Enable comment spam protection in ScudoWP → Login security by checking 'Comment & form spam protection'. Only anonymous comments are checked — logged-in users are authenticated and trusted. The honeypot is the primary reliable signal; the time-trap is best-effort on page-cached forms. A flagged comment is marked as spam for the admin to review, while legitimate comments always go through.

Form protection extends the same honeypot to Contact Form 7, WPForms, and Gravity Forms. Supported form plugins are auto-detected and protected when installed and active. For forms, the verdict uses the honeypot only (never the time-trap) to avoid false positives that could lose real submissions. Form spam verdicts flow through each plugin's own spam handling. Administrators testing forms are exempt from all checks.

XML-RPC is a credential-authentication surface that can be brute-forced just like the web login, and attacks can be amplified via system.multicall. Instead of disabling XML-RPC (which breaks legitimate use like Jetpack), this feature keeps the endpoint alive but requires two-factor on password authentication. Accounts without 2FA enabled cannot authenticate over XML-RPC at all; accounts with 2FA must append their current 6-digit TOTP code to the password (format: password123456).

Enable this in ScudoWP → Login security by checking 'XML-RPC two-factor requirement'. Once active, XML-RPC password authentication flows through the following rules: an account without 2FA enrolled is refused; an account with 2FA must submit the password with the current 6-digit code appended (the code is extracted from the end of the password string); a missing or incorrect code is rejected with a uniform error message that never leaks which check failed.

The feature is XML-RPC-only and never affects the web login, REST application-password authentication, or signed methods (like Jetpack's token-based auth). The verdict is a pure function and anti-lockout safe: it respects the brute-force lockout (a locked IP never gets past the lockout check) and every recovery route (Safe Mode, the marker file, the constant) disables it. Backup codes are web-recovery-only and not accepted over XML-RPC.

Strong-password policy enforces consistent password requirements on profile updates, password resets, and user registrations. ScudoWP requires a minimum of 10 characters and mandates the inclusion of uppercase letters, lowercase letters, at least one number, and at least one symbol. A password like 'MyP@ssw0rd' or 'Secure#Pass123' meets the policy; a password like 'password123' or '12345678' does not.

Enable strong-password policy in ScudoWP → Login security by checking 'Strong-password policy'. When enabled, any user setting or changing a password receives clear feedback on what is required if the password is weak. The check is applied consistently across the user profile edit page, password reset flow, and user registration. This raises the baseline security of all accounts on the site.

The policy is enforced at the point of password submission, so users see the requirement and feedback before saving. There is no premium tier for this feature; the strong-password rules are the same for all users and roles.

This premium feature prevents users from setting passwords that have appeared in public data breaches. ScudoWP queries the HaveIBeenPwned range API using a k-anonymity approach: only the first 5 characters of the password's SHA-1 hash are sent to the API (never the password or full hash), ensuring the password itself is never exposed. If the password is found in the breach database, the user is asked to choose a different one.

Enable compromised-password blocking in ScudoWP → Login security by checking 'Block compromised passwords'. Once active, the check runs on profile updates and password resets (anywhere a password is set). The network request to the range API has a 5-second timeout, so a slow connection or service unavailability does not block the user from setting a password — the check gracefully fails open.

This feature is premium-only and requires an active license. It works in tandem with the strong-password policy: you can require both strong passwords AND non-compromised passwords. When both are enabled, a user cannot set a password that is either weak or compromised. The check is transparent to users and has no false positives.

This premium feature serves wp-login.php only at a secret custom slug, leaving the default login at 404 or redirecting bots to the home page. Set a custom slug like 'secret-login' or 'admin-portal' and wp-login.php becomes available only at yourdomain.com/secret-login; requests to /wp-login.php return a 404 or redirect. The feature also closes the other two unauthenticated credential surfaces — XML-RPC password auth (when Jetpack is not active) and application-password auth — to ensure the hidden login is actually hidden.

Enable and configure hide-login in ScudoWP → Login security. Check 'Hide login & backend', enter a custom slug (lowercase alphanumeric with hyphens, 2–64 characters), and optionally check 'Redirect bots to home page' to send bots to home_url() instead of showing a 404. The slug is validated in real-time; invalid slugs (too short, reserved names like 'wp-admin', bad characters) are rejected. All login-related URLs (password-reset, logout, etc.) automatically update to use the new slug.

This feature has extensive lockout protections: it is premium-only and never runs in Safe Mode, so every recovery route (constant, marker file, wp-cli reset) instantly restores the default login. Logged-in administrators are never blocked, and recovery flows (password reset, logout, post-password) always work. If your slug is compromised, simply change it in the settings — all URLs update immediately.

The admin bar is the WordPress toolbar that appears at the top of the front end for logged-in users. Hiding it for non-administrators prevents accidental clicks on admin links and reduces the attack surface for users who do not need it. Administrators always see the admin bar, ensuring they retain full access.

Enable this in ScudoWP → Login security by checking 'Hide the admin bar'. Once active, the admin bar is hidden for all users except those with the 'manage_options' capability (typically Administrators). Logged-in Editors, Authors, Subscribers, and custom roles see a clean front end without the admin bar. Administrators continue to see and use the bar normally.

This is a simple, front-end-only setting with no performance impact. It uses WordPress' standard show_admin_bar filter and respects all other plugins and themes that also manage admin bar visibility.

Security headers are HTTP response headers that instruct browsers on how to handle content. ScudoWP sends a conservative set automatically: X-Frame-Options (SAMEORIGIN) prevents clickjacking by disallowing the site from being framed on other domains; X-Content-Type-Options (nosniff) prevents MIME-sniffing attacks; Referrer-Policy (strict-origin-when-cross-origin) controls what referrer information is leaked; Permissions-Policy restricts dangerous browser APIs (geolocation, microphone, camera); and Content-Security-Policy-Report-Only enforces safe origin policies in report mode without blocking content.

The CSP begins in report-only mode — violations are logged but not enforced — so you can monitor what needs adjustment before turning enforcement on. The report-only policy allows 'self' for scripts and styles, images from self/data/https, and disables object embeds. Once you've verified no legitimate content is blocked, you can move to enforcement mode in a future release.

These headers work server-wide and require no configuration. Enable or verify them in ScudoWP (they are on by default). The plugin also runs an HTTPS/HSTS check to warn if HTTPS is not fully configured, preventing the mistake of enabling HSTS headers on an HTTP site (which would lock visitors out). Security headers are sent via PHP so they work on any web server without .htaccess modifications.

HTTP Strict Transport Security (HSTS) is a sticky header that tells browsers to always use HTTPS for your domain. Once a visitor loads your site over HTTPS with the HSTS header, their browser will refuse HTTP connections for one year (or however long you set max-age). HSTS is extremely effective but dangerous if enabled on an HTTP site or with an invalid certificate — visitors can be locked out for the entire max-age period.

ScudoWP includes an SSL checker that verifies HTTPS is working and the certificate is valid before letting you enable HSTS. Navigate to the hardening or security headers section of the plugin, check that the SSL status shows a valid certificate, then enable HSTS. ScudoWP sends Strict-Transport-Security with max-age=31536000 (one year) and includeSubDomains, covering all subdomains as well.

HSTS is enabled only if HTTPS is actually live and valid. The plugin double-checks at runtime, so even if you enable the setting on an insecure site, the header is never sent until HTTPS is confirmed. If you later disable HTTPS, HSTS enforcement automatically stops. This safety-first design ensures HSTS can never lock your visitors out.

ScudoWP records every security-relevant event in a real-time activity log accessible from the dashboard under the Log section. The log captures firewall blocks (SQL-injection, XSS attempts), failed login attempts, successful administrator logins, two-factor authentication events, hardening changes, and background scan results. Each log entry shows the timestamp, event category, severity level (notice, warning, critical), source IP, username if applicable, and a description of what happened.

You can search the log by keyword, filter by category (firewall, access, integrity, config) or severity level, and export results to review offline. The log is paginated and you can choose how many entries per page to display. By default, entries are retained for 30 days, but you can adjust this window in Settings > Maintenance to match your compliance requirements (minimum 1 day).

Clearing the activity log is itself logged as an event. The log is free on both Free and Pro tiers. Visit the Log tab in the dashboard to start reviewing your security events.

ScudoWP calculates a real-time security score from 0 to 100 by gathering live signals about your configuration, hardening modules, firewall status, 2FA enrollment, SSL certificate validity, and recent scan results. The score is shown prominently on the dashboard (called 'Panoramica' in the main view) and breaks down exactly which signals contributed to your score. A score of 60 or above with zero scan findings means your site is marked as protected.

Below the score, ScudoWP shows a prioritized Recommendations list—a to-do list of the most impactful actions you can take next. Recommendations are derived deterministically from your current posture and environment (environment-aware, so unavailable features are never suggested). For example, if your site does not have HTTPS, you will see a recommendation to enable SSL. If 2FA is available but not enrolled, it will appear next in priority. Recommendations account for known plugin conflicts and always suggest the highest-impact action first.

The score and recommendations are free on both tiers. Visit the dashboard home (Panoramica tab) to see your current score, the underlying signals, and your personalized recommendations.

ScudoWP Pro sends instant email alerts when specific security events occur. You can configure which events trigger emails through Settings > Alerts. Alerts can be sent when an administrator logs in (useful for multi-user sites to detect unauthorized access) or when a critical threat is detected. By default alerts go to your WordPress admin email address, but you can specify a different recipient if needed. An alert for an administrator login includes the username and advises checking your password if it was not you.

The weekly security report is a Pro-only feature that sends every Monday (or on your site's configured weekly schedule) with a summary of the last seven days: total firewall blocks, total failed login attempts, and a reminder that your site is being monitored. To enable alerts, go to the dashboard Settings tab, expand the Alerts section, enter your preferred email address, and toggle on Admin Login and Weekly Report. Emails are sent via WordPress wp_mail(), so they use your site's mail configuration.

Email alerts are a Pro feature and require an active Pro license. Activate a Pro license to unlock email alerts. You can enable or disable individual alert types at any time without losing your email address configuration.

ScudoWP is a freemium plugin with a free tier available on WordPress.org and a Pro tier with advanced features. The free tier includes Web Application Firewall (blocks SQL-injection and XSS), malware and integrity scanning, two-factor authentication (TOTP), brute-force protection, login CAPTCHA, comment and form spam protection, security headers, activity log, security score and recommendations, and Safe Mode recovery. The free tier also includes a vulnerability advisory overlay that flags plugins and themes with known vulnerabilities, and optional hardening controls like version hiding, file-editing disabling, and admin-bar hiding.

The Pro tier adds premium WAF rules and a live threat-intelligence feed, advanced rate-limiting to throttle abusive clients by requests-per-minute, GeoIP blocking to restrict traffic by country, CDN real-IP resolution, a feature to hide the login URL and wp-admin from bots, two-factor enforcement by user role with a remember-device window, compromised-password blocking (rejects passwords found in data breaches), and email alerts with a weekly security report.

All features on both tiers are available immediately after installation. Free features remain free forever. Pro features are locked behind the license check and only become available when you activate a valid Pro license.

To activate a Pro license, first purchase a license on the ScudoWP pricing page at scudowp.com. Pro licenses are sold through Freemius and are annual recurring subscriptions—you pay once per year and the license automatically renews unless you cancel. After purchasing, you will receive a license key via email and through your Freemius account dashboard.

To activate the license in WordPress, go to ScudoWP > Settings in the admin menu and look for the License section. Click the 'Activate License' button, paste your license key into the activation form, and click Activate. ScudoWP will validate the key with the Freemius servers and unlock all Pro features immediately. The license activation screen is also accessible through the WordPress Plugins page—look for an 'Activate License' link next to ScudoWP.

After activation, the License section in Settings will show your license status, plan name (Pro), and expiration date. If you need to change your billing information or upgrade, click the 'Manage License' link to go to your Freemius account dashboard. Your Pro license is tied to your site's domain, and you can reactivate it if you move your site to a different host.

ScudoWP Pro licenses are sold as annual recurring subscriptions through Freemius, a licensing and payment platform that handles billing and license delivery. When you purchase a Pro license, you pay once per year for a 12-month subscription. On the anniversary date, your subscription automatically renews and you are charged again unless you cancel beforehand. Your license key remains valid throughout the subscription period.

You can view and manage your subscription through your Freemius account dashboard. Log in with the email address you used to purchase the license. From there you can view your license keys, update your billing and payment method, download invoices for accounting, and manage multiple sites or licenses if you have them. All Freemius account functions are available at no additional cost.

Your Freemius account is also where you manage your 3-day free trial if you want to test Pro features before purchasing. The trial is fully-featured and can be activated from the License section in ScudoWP Settings without entering payment information first.

To manage your Pro license, go to ScudoWP > Settings > License and click the 'Manage License' link, which opens your Freemius account dashboard in a new tab. From there you can update your payment method (credit card, PayPal, etc.), view your billing history and invoices, and check your license renewal date. You can also manage multiple licenses if you have Pro on several sites.

To cancel your Pro subscription, log into your Freemius account dashboard, find your ScudoWP subscription, and click Cancel. Your license will remain valid until the current renewal date, and Pro features will be available for the rest of your paid period. After the renewal date passes, ScudoWP will revert to free-tier features automatically. There is no penalty for canceling, and you can reactivate a license later if you change your mind.

If you downgrade to free, all your plugin settings and activity logs are preserved—you simply lose access to Pro-only features (email alerts, premium WAF rules, advanced rate limiting, GeoIP blocking, hidden login URL, two-factor enforcement, and compromised-password blocking). The free features continue to work exactly as before.

First public release of ScudoWP. The free version is a complete, standalone security suite: an environment-aware Web Application Firewall (SQLi/XSS and more), a self-optimising malware & integrity scan against the official WordPress.org checksums with reversible quarantine, brute-force protection with an anti-lockout admin allowlist, TOTP two-factor authentication with backup codes, an invisible login CAPTCHA, comment and form spam protection, the full set of hardening modules (XML-RPC, file editing, user enumeration, uploads PHP execution and more), one-click security headers with an HTTPS/HSTS check, a transparent and explainable security score with prioritised recommendations, a searchable activity log, a bundled vulnerability advisory overlay, and Safe Mode with three database-less recovery routes.

ScudoWP Pro adds the advanced layer for sites that need more: a premium WAF rule engine fed by a continuously-updated, signed threat-intelligence feed; GeoIP country blocking with CDN real-IP resolution and advanced per-IP rate limiting; a hidden login URL with bot redirection; two-factor enforcement by role with remember-this-device; compromised-password blocking (k-anonymity); email alerts and a weekly security report; a plug-and-play Content-Security-Policy builder; configuration export/import; white-label / agency branding; and an optional AI security advisor (bring your own API key — proposals only, nothing is ever applied automatically).

Every site-touching action follows a safety-first contract: detect, preview, apply, verify, and automatic rollback on failure, with a restore point and a database-less escape route at all times. Detection and enforcement are deterministic; the AI layer is off by default and only ever proposes validated changes. A lapsed or absent Pro licence never disables the firewall, scans, or Safe Mode — Pro only ever adds capability.

ScudoWP ships translation-ready with bundled translations (including Italian, French, Spanish, German, Arabic with RTL, Japanese, Brazilian Portuguese, Russian and Dutch), requires WordPress 6.0+ and PHP 7.4+, and is multisite-aware. The free build is published on WordPress.org; Pro is delivered through Freemius and installs over the free build under the same plugin.