frequently asked questions
(No Gimmicks, No CC,No Commitment, Free Features, Stay Free If You Prefer!)
Description: Requires at least one symbol in passwords (when enforcement is enabled).
How it works: password_require_symbol adds a symbol check to password validation.
How to access / configure:
- WP Admin → AegisShield → Hardening → Password Policy.
- Enable symbol requirement.
- Save changes.
Recommended setting: Enable for admins; consider optional for lower roles to reduce support burden.
Feature
Default rate limit per minute (enforced per IP + path + minute bucket)
Description
Per-IP+path rate limits in a time bucket.
How it works
AegisWAF applies this capability inside the Bot Control module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → Bot Control
- Enable/Disable: Use the module toggle/switch on this screen (or the relevant category toggle) to enable/disable.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.
Description
Limits migration runs to selected post types.
How it works
Filters migration queries by post_type.
How to access / enable
Migration Wizard → Select Post Types → Run.
Recommended setting
Start with posts + pages.
Description: Restricts which sites can embed your site in an iframe (anti-clickjacking) (Pro).
How it works: builder_frame_ancestors sets the CSP frame-ancestors directive; pairs well with X-Frame-Options.
How to access / configure:
- WP Admin → AegisShield → Security Headers → CSP Builder.
- Set frame ancestors to ‘none’ or ‘self’.
- Save changes.
Recommended setting: Use ‘none’ for most sites; ‘self’ if you embed your own pages internally.
FREE: Not available.
PRO: Available.
What it does: Enables granular filtering of security events.
How to use it properly: Use filters to isolate high-signal events.
Description: Create a new short link by providing a Title, Target URL, and optional custom Slug.
How it works: AegisLink saves the link as a short link post and routes /{prefix}/{slug} to your Target URL using the configured redirect code.
How to access / enable: WP Admin → AegisLink → ShortURL Links → Manage → Add Short Link → Save.
Recommended setting: Leave slug blank to auto-generate from the title for consistent formatting.
Feature
Visual Intelligence: Top routes chart
Description
Most targeted endpoints/routes based on events.
How it works
AegisWAF applies this capability inside the Logging & Evidence module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → Logs / Attack Story
- Enable/Disable: Use the module toggle/switch on this screen (or the relevant category toggle) to enable/disable.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.
- Reduces common WordPress attack surface (headers, hardening, login protection)
- Adds observability (activity logging + login attempts + file integrity baselines)
- Adds incident-oriented tooling (malware workflows like incremental scan / incidents / profiles / scheduler tabs in UI)
- Provides safer DB admin utilities (notably DB prefix management with a “don’t forget the internal keys” phase)
Description: Shows per-table row counts and storage usage to identify bloat sources.
How it works: AegisShield calculates table sizes and highlights outliers that may indicate logging bloat or spam tables.
How to access / configure:
- WP Admin → AegisShield → DB Tools.
- Sort by Size or Rows.
- Inspect top tables.
Recommended setting: Large options/transients tables often indicate plugin issues; clean up carefully.
Feature
Disposable email domains — Detects and scores disposable/temporary email domains to reduce fake leads and spam registrations.
How it works
The engine checks the email domain against a local list (and optionally a fetched list if you enable it) and adds score if it matches.
How to access / enable
- WP Admin → AegisSpamGuard → Settings
- Identity module settings
- Enable disposable detection options if present.
Recommended setting
Recommended: ON (local list), external list OFF unless you enable external calls.
Local lists are privacy-first and stable; external lists can improve coverage but require outbound HTTP.
Why you need this
Admins improve lead quality and reduce fraudulent signups.
Additional information
Feature
Managed Rules: SQLi category toggle
Description
Enable/disable SQL injection managed rules.
How it works
AegisWAF applies this capability inside the WAF Rules module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → WAF Settings (Rules section)
- Enable/Disable: Use the toggle on this screen to turn it ON or OFF, then click Save.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.
Description
Checks heading usage quality.
How it works
Scans content for heading tags/blocks.
How to access / enable
Aegis Score.
Recommended setting
One H3; use H4 sections.
Feature
Advanced Per-Route Controls (pattern | category | profile | per-method thresholds)
Description
Per-route advanced controls.
How it works
AegisWAF applies this capability inside the API Shield module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → API Shield
- Enable/Disable: Use the module toggle/switch on this screen (or the relevant category toggle) to enable/disable.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.
Feature
Registration spam protection — Stops fake account creation by scoring registrations and applying allow/hold/block logic.
How it works
Hooks into registration validation; checks identity heuristics (disposable domains, MX optional), velocity, and reputation; then enforces policy.
How to access / enable
- WP Admin → AegisSpamGuard → Settings
- Enable registration protection (if toggle exists).
- Tune identity signals and trust settings.
Recommended setting
Recommended: Enabled with Hold for new sites.
Holding suspicious registrations prevents fake accounts while avoiding accidental blocks of legitimate users during early tuning.
Why you need this
Admins reduce fake users, deliverability issues, and malicious activity from throwaway accounts.
Additional information
Feature
Search form protection — Stops bots from abusing WordPress search by scoring suspicious queries and rate-limiting aggressive activity.
How it works
The search term is scored; block/hold can return a 429 rate-limit response, and Challenge can apply a small delay to discourage automated scraping/search spam.
How to access / enable
- WP Admin → AegisSpamGuard → Settings
- Enable “Search form protection”.
- Save changes.
Recommended setting
Recommended: ON for public sites.
Search abuse can generate thousands of low-value pages and waste CPU; protection reduces that risk.
Why you need this
Admins protect SEO and performance by preventing bot-driven search spam pages.
Additional information
Description: Controls how many days of Activity Log events are kept before older entries are purged.
How it works: A scheduled maintenance routine removes entries older than the configured retention_days value.
How to access / configure:
- WP Admin → AegisShield → Activity Log.
- Locate “Retention Days”.
- Set the number of days and Save Changes.
Recommended setting: 30–90 days is a practical range for most sites; use longer for regulated environments.
Description: Smart Links require keywords to be a single word (no spaces).
How it works: AegisLink ignores any keyword containing whitespace to avoid unexpected phrase linking and formatting issues.
How to access / enable: WP Admin → AegisLink → Keyword Links → Keyword field (one word) → Save Smart Links.
Recommended setting: Use concise, branded keywords (product names, category handles) for best results.
Description: Optimizes tables to reclaim space and improve query performance.
How it works: DB Tools runs OPTIMIZE TABLE (where supported) and records events for auditing.
How to access / configure:
- WP Admin → AegisShield → DB Tools.
- Select table(s) or run optimize action.
- Confirm completion and check performance.
Recommended setting: Run during low-traffic windows; always back up before major DB operations.
Feature
Card rows (compact summary + expandable body) — Each log entry shows a compact summary row and expands to reveal full details, reasons, and next actions.
How it works
The summary focuses on what you need at a glance (score, action, type, timestamp). Expanding reveals signal breakdown, actor info (privacy-safe), payload excerpt, and evidence.
How to access / enable
- WP Admin → AegisSpamGuard → Spam Log
- Click an event card to expand/collapse details.
Recommended setting
Recommended: Expand Held/Challenged events before deciding.
Reviewing details prevents accidental denies and helps you build accurate allow/deny rules.
Why you need this
Admins need fast scanning and deep diagnostics in one place—cards make the log readable like a real app, not a raw table.
Additional information
Feature
Managed Rules: File Upload abuse enforcement (PRO)
Description
Enforcement for upload abuse patterns in PRO.
How it works
AegisWAF applies this capability inside the WAF Rules module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → WAF Settings (Rules section)
- Enable/Disable: Use the module toggle/switch on this screen (or the relevant category toggle) to enable/disable.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.
Feature
Multisite controls — Supports network-wide defaults with per-site overrides so you can standardize protection across a multisite network.
How it works
Network settings define baseline thresholds/modules; each site can override only what it needs (e.g., different aggressiveness for commerce vs blog sites).
How to access / enable
- WP Network Admin → AegisSpamGuard → Settings (Network)
- Configure global defaults
- On an individual site, override settings as needed.
Recommended setting
Recommended: Set conservative network defaults; override only for high-risk sites.
Conservative defaults reduce network-wide false positives while still providing meaningful protection everywhere.
Why you need this
Admins running agencies or multisite installs need centralized control with safe flexibility.
Additional information
Description: Sets the minimum required password length when strong password enforcement is enabled.
How it works: password_min_length is checked during password set/reset and weak passwords are rejected.
How to access / configure:
- WP Admin → AegisShield → Hardening → Password Policy.
- Set minimum length.
- Save changes.
Recommended setting: Use 12+ for admins; 10+ for lower roles if needed.
Feature
Phrase/URL rules — Allow or block content that matches specific phrases or URL patterns commonly used in spam.
How it works
Phrase rules are checked against normalized message content. URL rules help you block known spam destinations or suspicious shorteners.
How to access / enable
- WP Admin → AegisSpamGuard → Allow/Deny
- Add a phrase or URL rule
- Choose Allow or Deny and save.
Recommended setting
Recommended: Start with Deny rules for repeated spam campaigns you see in the log.
Targeted phrase/URL rules stop waves immediately with low false positive risk.
Why you need this
Admins often see repeating spam templates—phrase/URL rules shut them down fast.
Additional information
Description
Default SEO title template for pages.
How it works
Uses title_page template.
How to access / enable
Global SEO → Titles & Meta → Page Title Template.
Recommended setting
%%title%%%%sep%%%%sitename%%
Description
Default description template for posts.
How it works
Uses desc_post; typically %%excerpt%% fallback.
How to access / enable
Global SEO → Titles & Meta → Post Meta Description Template.
Recommended setting
Use %%excerpt%% but ensure excerpt quality.