frequently asked questions
(No Gimmicks, No CC,No Commitment, Free Features, Stay Free If You Prefer!)
A WordPress security plugin built to run efficiently on shared hosting, providing defensive controls, hardening, monitoring/logging, security header enforcement, malware/integrity tooling, login protection, and database tools from inside WP Admin.
Feature
External disposable list URL — Optionally fetch a disposable email domain list from a URL (requires external calls).
How it works
If enabled, AegisSpamGuard downloads a list periodically and caches it. This improves coverage beyond the built-in local list.
How to access / enable
- WP Admin → AegisSpamGuard → Settings
- Identity module settings
- Set external list URL and enable the toggle.
Recommended setting
Recommended: Leave OFF if “No external calls” is ON; otherwise enable only from trusted sources.
External lists can add coverage but introduce network dependency—use only if you trust the source and caching works on your host.
Why you need this
Use caching intervals to reduce bandwidth and avoid timeouts.
Additional information
Feature
REST request abuse protection — Scores suspicious REST requests to reduce spam and automated abuse of WordPress endpoints.
How it works
The engine inspects request context, headers, and patterns. Depending on your configuration, it can apply scoring and rate-limit or block abusive requests.
How to access / enable
- WP Admin → AegisSpamGuard → Settings
- Enable REST protection (if available).
- Tune firewall/velocity thresholds for best results.
Recommended setting
Recommended: Enabled on public sites with heavy bot traffic.
REST endpoints are commonly probed; early scoring and rate-limiting reduces load and abuse.
Why you need this
Admins protect site performance and reduce automated scanning noise.
Additional information
Description: Sets how many failed login attempts are allowed before a lockout triggers.
How it works: Login Guard increments a counter on failed authentication and locks out when the counter reaches max_attempts.
How to access / configure:
- WP Admin → AegisShield → Login Guard.
- Find “Max Attempts”.
- Set the value and Save Changes.
Recommended setting: Use 3–5 for most sites; use 3 if the site is frequently attacked.
FREE: Not available.
PRO: Available.
What it does: Retains logs for long-term forensics.
How to use it properly: Enable for compliance or long-term investigations.
Description: Choose which directories are included in malware scanning.
How it works: scan_dirs/directories settings determine which paths are traversed during a scan for performance and relevance.
How to access / configure:
- WP Admin → AegisShield → Malware Scan.
- Select directories to scan.
- Save (if applicable) and run scan.
Recommended setting: Always include plugins and themes; include uploads on sites that allow uploads or have been compromised before.
Description: Enables robots.txt control inside WordPress.
Logic: Robots rules are generated dynamically and served virtually or physically.
Access: WP Admin → AegisSitemap → Robots → Enable Robots.
Recommendation: Enable unless managed externally.
Description
Stores social profile URLs for schema and social meta defaults.
How it works
Saves social profiles and outputs sameAs links in schema.
How to access / enable
Setup Wizard → Social URLs → Save.
Recommended setting
Only add profiles you actively maintain.
Description: Delete removes the short link so the slug no longer resolves on your site.
How it works: AegisLink deletes the short link post after nonce verification to prevent accidental or malicious deletion.
How to access / enable: WP Admin → AegisLink → ShortURL Links → Manage → Delete.
Recommended setting: Only delete if you never want the short URL used again; otherwise change the target instead.
Description: Target URL must be a valid http(s) URL to prevent broken redirects.
How it works: AegisLink validates that the URL begins with http:// or https:// before saving.
How to access / enable: WP Admin → AegisLink → ShortURL Links → Manage → Target URL → Save.
Recommended setting: Always use the canonical URL you want users to reach (final destination).
Feature
Trust users older than N days — Applies a trust boost to accounts older than a configurable age, reducing false positives for established users.
How it works
Older accounts are statistically lower risk; this setting lets you encode that into scoring.
How to access / enable
- WP Admin → AegisSpamGuard → Settings
- Trust settings section
- Set “Trust existing user if older than N days”.
Recommended setting
Recommended: 7–14 days for most sites.
A week is enough to separate drive-by spam from normal members without granting immediate trust to new signups.
Why you need this
Admins improve UX for established users while keeping defenses strong for new accounts.
Additional information
Description: Generate short links for categories, tags, and custom taxonomies (including WooCommerce product_cat and product_tag).
How it works: AegisLink queries terms with get_terms(), resolves targets with get_term_link(), and builds slugs from the term slug with optional prefixes.
How to access / enable: WP Admin → AegisLink → ShortURL Links → Bulk → Terms/Taxonomy section → Generate.
Recommended setting: Use prefixes like cat- or tag- if you have overlapping slugs across taxonomies.
Description: Records failed login attempts to help identify attacks and targeted accounts.
How it works: Each failed login writes an event with timestamp, username (if provided), and IP address to support investigations.
How to access / configure:
- WP Admin → AegisShield → Login Guard.
- Review the recent failed login activity section/chart.
- Cross-check with Activity Log for related events.
Recommended setting: Watch for repeated attempts on admin accounts; consider enforcing MFA for administrators (Pro).
Description
Flags posts missing SEO title.
How it works
Checks title meta and template output conditions.
How to access / enable
Issues & Fixes → Missing Title.
Recommended setting
Use templates + override key pages.
Description: Builds a baseline of known-good file checksums to detect unexpected changes.
How it works: AegisShield records checksums for monitored paths; later scans compare current checksums against baseline to detect modifications.
How to access / configure:
- WP Admin → AegisShield → File Integrity.
- Run the baseline/scan to initialize monitoring.
- Review results for unexpected changes.
Recommended setting: Create a fresh baseline right after a clean install and after major updates you trust.
Description: Enforces MFA for selected WordPress roles (Pro).
How it works: On login, AegisShield checks the user’s role against the enforced list and requires MFA if applicable.
How to access / configure:
- WP Admin → AegisShield → Login Guard → MFA (Pro).
- Enable enforcement and select roles.
- Save changes and notify users.
Recommended setting: Enforce at least for administrators and editors; expand to authors on content-heavy sites.
Description
Allows reverting SEO changes applied from operations.
How it works
Uses history/events to restore previous meta values.
How to access / enable
SEO Ops Center → Rollback/History.
Recommended setting
Rollback when outcomes worsen.
Feature
Retention days setting (auto-delete older logs) + manual cleanup button
Description
Retention controls and cleanup.
How it works
AegisWAF applies this capability inside the Logging & Evidence module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → Logs / Attack Story
- Enable/Disable: Use the module toggle/switch on this screen (or the relevant category toggle) to enable/disable.
Recommended setting
Set 30 days retention for most sites; shorten to 7–14 days on small databases.
Description: Prevents editing plugin/theme files from the WordPress editor to reduce post-compromise abuse.
How it works: Hardening sets the relevant WordPress constant/behavior so attackers can’t use the built-in editor to plant code.
How to access / configure:
- WP Admin → AegisShield → Hardening.
- Enable “Disable file editing”.
- Save changes.
Recommended setting: Enable on production sites; do code changes via SFTP/Git instead.
Feature
Cleanup tools — Scans existing comments and users in safe batches to identify and remove legacy spam without timeouts.
How it works
Cleanup uses the same engine scoring but runs with safe batching and can operate in report-only mode so you can validate before changing data.
How to access / enable
- WP Admin → AegisSpamGuard → Cleanup
Recommended setting
Recommended: Start with Report-only, then Move to Spam.
This prevents accidental deletions and lets you verify scoring on old content.
Why you need this
Admins often inherit spam-filled databases—Cleanup restores quality and reduces moderation workload.
Additional information
Description
Default description template for posts.
How it works
Uses desc_post; typically %%excerpt%% fallback.
How to access / enable
Global SEO → Titles & Meta → Post Meta Description Template.
Recommended setting
Use %%excerpt%% but ensure excerpt quality.
Feature
Behavioral scoring (PRO-only scoring + threshold enforcement)
Description
Behavioral scoring enforcement.
How it works
AegisWAF applies this capability inside the Bot Control module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → Bot Control
- Enable/Disable: Use the module toggle/switch on this screen (or the relevant category toggle) to enable/disable.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.
Description: Edit allows you to update a short link’s target, slug options, tracking, groups/tags, and UTMs.
How it works: AegisLink loads the existing short link post and updates metadata on save.
How to access / enable: WP Admin → AegisLink → ShortURL Links → Manage → Edit.
Recommended setting: Edit rather than delete when campaigns move; preserve history and analytics continuity where possible.
Feature
“Alerts only” filtering
Description
Show only alert-triggering events.
How it works
AegisWAF applies this capability inside the Logging & Evidence module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → Logs / Attack Story
- Enable/Disable: Use the module toggle/switch on this screen (or the relevant category toggle) to enable/disable.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.
Feature
Action mode: FREE forced to LOG; PRO can use Log / Block / Challenge / Rate Limit
Description
Global action mode / enforcement policy.
How it works
AegisWAF applies this capability inside the WAF Rules module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → WAF Settings (Rules section)
- Enable/Disable: Use the module toggle/switch on this screen (or the relevant category toggle) to enable/disable.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.