frequently asked questions
(No Gimmicks, No CC,No Commitment, Free Features, Stay Free If You Prefer!)
Description: Writes a robots.txt file to the site root.
Logic: A physical file is created when filesystem permissions allow.
Access: WP Admin → AegisSitemap → Robots → Write robots.txt.
Recommendation: Enable for maximum crawler compatibility.
Feature
Bot Control logging (allow + rate_limit events with matched pattern and scope)
Description
Log bot decisions and matches.
How it works
AegisWAF applies this capability inside the Bot Control module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → Bot Control
- Enable/Disable: Use the module toggle/switch on this screen (or the relevant category toggle) to enable/disable.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.
Feature
PRO UX: Dim + upsell pattern
Description
PRO-only controls appear dimmed with an upgrade CTA in FREE mode.
How it works
AegisWAF applies this capability inside the License module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → License, Matrix and Settings
- Enable/Disable: Use the module toggle/switch on this screen (or the relevant category toggle) to enable/disable.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.
Feature
Cleanup tools — Scans existing comments and users in safe batches to identify and remove legacy spam without timeouts.
How it works
Cleanup uses the same engine scoring but runs with safe batching and can operate in report-only mode so you can validate before changing data.
How to access / enable
- WP Admin → AegisSpamGuard → Cleanup
Recommended setting
Recommended: Start with Report-only, then Move to Spam.
This prevents accidental deletions and lets you verify scoring on old content.
Why you need this
Admins often inherit spam-filled databases—Cleanup restores quality and reduces moderation workload.
Additional information
Feature
Only enforce on unauthenticated REST requests (logged-in bypass)
Description
Optionally bypass logged-in traffic.
How it works
AegisWAF applies this capability inside the API Shield module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → API Shield
- Enable/Disable: Use the module toggle/switch on this screen (or the relevant category toggle) to enable/disable.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.
Feature
DDoS rate window + thresholds
Description
Define window and per-IP thresholds for actions.
How it works
AegisWAF applies this capability inside the DDoS Settings module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → DDoS Settings
- Enable/Disable: Use the module toggle/switch on this screen (or the relevant category toggle) to enable/disable.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.
Feature
IP / CIDR blocklist enforcement (PRO-only)
Description
Block specific IPs/CIDRs.
How it works
AegisWAF applies this capability inside the Bot Control module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → Bot Control
- Enable/Disable: Use the module toggle/switch on this screen (or the relevant category toggle) to enable/disable.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.
Description: Enables full XML sitemap generation for your WordPress site.
Logic: Dynamically generates sitemap endpoints and updates them as content changes.
Access: AegisSitemap → Sitemap.
Recommendation: Enable on all production sites.
Description: Sets how long an IP/user stays locked out after exceeding max attempts.
How it works: When the threshold is hit, Login Guard stores a lockout with an expiry based on lockout_minutes.
How to access / configure:
- WP Admin → AegisShield → Login Guard.
- Find “Lockout Minutes”.
- Set the duration and Save Changes.
Recommended setting: 15–30 minutes is a good baseline; increase if attacks persist.
Feature
DDoS Shield master switch
Description
Enable/disable volumetric protection layer.
How it works
AegisWAF applies this capability inside the DDoS Settings module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → DDoS Settings
- Enable/Disable: Use the toggle on this screen to turn it ON or OFF, then click Save.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.
Description: Requires at least one lowercase letter in passwords (when enforcement is enabled).
How it works: password_require_lowercase adds a lowercase check to password validation.
How to access / configure:
- WP Admin → AegisShield → Hardening → Password Policy.
- Enable lowercase requirement.
- Save changes.
Recommended setting: Enable for admin/editor roles.
Description
Fallback image for social previews.
How it works
Uses global attachment/URL when per-post image missing.
How to access / enable
Social → Defaults → Image.
Recommended setting
Set a branded default image.
Description: Shows notable admin and system changes over the last 7 days (plugins enabled/disabled, admin changes).
How it works: AegisShield summarizes high-impact Activity Log categories to make change review fast.
How to access / configure:
- WP Admin → AegisShield → Dashboard.
- View “High‑Impact Changes (7d)”.
- Click through to Activity Log for full details.
Recommended setting: Review this weekly; unexpected plugin/theme changes are a common incident indicator.
Description: Breaks down recent security events by module category (Login Guard, File Integrity, Malware, Headers, DB).
How it works: Events are tagged with a module and category so the dashboard can visualize where threats are coming from.
How to access / configure:
- WP Admin → AegisShield → Dashboard.
- View “Threat Categories by Module (24h)”.
- Click into the module with the highest activity for details.
Recommended setting: Use this view to prioritize tuning—e.g., tighten Login Guard if auth events dominate.
Description: Blocks directories from crawler access.
Logic: Disallow rules are generated for each defined path.
Access: WP Admin → AegisSitemap → Robots → Excluded Directories.
Recommendation: Block admin, search, and temporary paths.
Description: Standard UTM parameters used by analytics platforms for attribution and reporting.
How it works: AegisLink stores each UTM field and appends them to the final redirect destination when enabled.
How to access / enable: WP Admin → AegisLink → ShortURL Links → Manage → UTM fields → Save.
Recommended setting: Use consistent naming conventions (source=facebook, medium=social, campaign=summer-sale).
Feature
REST Progressive Enforcement: Challenge-at
Description
Threshold where REST requests begin receiving challenges.
How it works
AegisWAF applies this capability inside the API Shield module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → API Shield
- Enable/Disable: Use the module toggle/switch on this screen (or the relevant category toggle) to enable/disable.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.
Description: Controls which endpoints your site can connect to (AJAX, APIs) via CSP connect-src (Pro).
How it works: builder_connect_src and builder_connect_mode define allowed origins for fetch/XHR/WebSocket connections.
How to access / configure:
- WP Admin → AegisShield → Security Headers → CSP Builder.
- Open Connect settings.
- Add API domains and Save Changes.
Recommended setting: Only allow your own domain and required external APIs (payments, analytics, etc.).
Description: Shows which websites or sources are sending traffic to your short links.
How it works: AegisLink records the HTTP referer (when available) and aggregates top sources.
How to access / enable: WP Admin → AegisLink → ShortURL Links → Analytics → Top Referrers.
Recommended setting: Use this to validate social and partner campaigns and discover unexpected traffic sources.
Description: Visualizes relative risk across modules so you can see where attention is needed.
How it works: Each module contributes a risk score based on its findings (e.g., lockouts, file changes, malware suspects, header posture).
How to access / configure:
- WP Admin → AegisShield → Dashboard.
- View “Module Risk Index (7d)”.
- Open the highest-risk module and address findings.
Recommended setting: Prioritize high-risk modules first; aim to keep all modules at low/medium risk.
Description
Tools to diagnose sitemap access issues.
How it works
Checks permalinks/rewrite and outputs correct headers.
How to access / enable
Tools → Diagnostics.
Recommended setting
Use Post Name permalinks.
Feature
JS proof token — Uses a lightweight JavaScript-generated proof token so non-browser bots are penalized, and replay is reduced.
How it works
A one-time nonce/token is created per form/session; missing or invalid proofs add score. This helps stop headless/bot POSTs that skip executing JS.
How to access / enable
- WP Admin → AegisSpamGuard → Settings
- Challenges/Forms section (varies by build)
- Toggle “JS proof token” ON/OFF.
Recommended setting
Recommended: ON for forms.
It improves detection without forcing CAPTCHAs; bots that don’t run JS get flagged.
Why you need this
Admins get better protection with minimal UX cost.
Additional information
Feature
Advanced Per-Route Controls (pattern | category | profile | per-method thresholds)
Description
Per-route advanced controls.
How it works
AegisWAF applies this capability inside the API Shield module. The engine evaluates configuration, applies matching (path/method/tokens/counters/providers), then records evidence into the event log and executes the configured enforcement action when conditions are met.
How to access / Enable or disable
- Access: AegisWAF → API Shield
- Enable/Disable: Use the module toggle/switch on this screen (or the relevant category toggle) to enable/disable.
Recommended setting
Start conservative (LOG or Challenge) for new deployments; tighten to Block once you confirm low false positives.
Description: Controls the number of URLs included in each sitemap file.
Logic: Once the limit is reached, a new child sitemap is created automatically.
Access: WP Admin → AegisSitemap → Sitemap → Max URLs per Sitemap.
Recommendation: Leave at default (2000) unless advised by SEO audits.
Description
Controls the SEO title format for the homepage.
How it works
Saves title_home and renders variables (%%sitename%%, %%tagline%%, %%sep%%).
How to access / enable
Setup Wizard → Homepage Title Template → Save.
Recommended setting
%%sitename%%%%sep%%%%tagline%%