[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUIXYcsv7oQvhYIQRU2QpWq6pAy7p458O0V58j4IQ8K8":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":37,"analysis":128,"fingerprints":256},"basecloud-security-manager","BaseCloud Security Manager","1.0.26","BaseCloud","https:\u002F\u002Fprofiles.wordpress.org\u002Fbasecloud\u002F","\u003Cp>\u003Cstrong>Transform your WordPress site into a security fortress in under 2 minutes.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>BaseCloud Security Manager delivers enterprise-level security protection through advanced HTTP security headers – the same technology used by Fortune 500 companies to protect their websites. No technical expertise required.\u003C\u002Fp>\n\u003Cp>🎯 \u003Cstrong>Why Security Headers Matter:\u003C\u002Fstrong>\u003Cbr \u002F>\nSecurity headers are your website’s first line of defense, instructing browsers on how to handle your content safely. Without them, your site is vulnerable to:\u003Cbr \u002F>\n• Cross-Site Scripting (XSS) attacks – \u003Cstrong>87% of websites are vulnerable\u003C\u002Fstrong>\u003Cbr \u002F>\n• Clickjacking attacks that steal user credentials\u003Cbr \u002F>\n• Data theft through insecure connections\u003Cbr \u002F>\n• Privacy violations through referrer leaks\u003Cbr \u002F>\n• Malicious code injection\u003C\u002Fp>\n\u003Cp>✨ \u003Cstrong>What Makes BaseCloud Different:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>🚀 \u003Cstrong>One-Click Protection\u003C\u002Fstrong> – Enable military-grade security with a single click\u003Cbr \u002F>\n🔒 \u003Cstrong>Zero Configuration Required\u003C\u002Fstrong> – Smart defaults protect you instantly\u003Cbr \u002F>\n⚡ \u003Cstrong>Lightning Fast\u003C\u002Fstrong> – No performance impact on your site\u003Cbr \u002F>\n🎛️ \u003Cstrong>Full Control\u003C\u002Fstrong> – Advanced users can customize every setting\u003Cbr \u002F>\n🛠️ \u003Cstrong>Developer Friendly\u003C\u002Fstrong> – Clean, well-documented code\u003Cbr \u002F>\n🔧 \u003Cstrong>No Server Changes\u003C\u002Fstrong> – Works on any hosting provider\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🛡️ Complete Security Arsenal:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🎯 Master Security Switch\u003C\u002Fstrong>\u003Cbr \u002F>\nEnable all protections instantly – perfect for non-technical users who want maximum security without complexity.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🔐 Force SSL\u002FHTTPS Everywhere\u003C\u002Fstrong>\u003Cbr \u002F>\nAutomatically redirect all HTTP traffic to HTTPS, ensuring all data transmission is encrypted. Protects against man-in-the-middle attacks.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🛡️ Content Security Policy (CSP)\u003C\u002Fstrong>\u003Cbr \u002F>\nThe gold standard of XSS protection. Controls exactly which scripts, styles, and resources can run on your site. Includes smart defaults that work with 99% of WordPress themes and plugins.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🔒 HTTP Strict Transport Security (HSTS)\u003C\u002Fstrong>\u003Cbr \u002F>\nForces browsers to communicate exclusively over HTTPS, preventing SSL stripping attacks. Includes preload support for maximum protection.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🕵️ Advanced Referrer Policy\u003C\u002Fstrong>\u003Cbr \u002F>\nProtects user privacy by controlling what information is shared when visitors click links, preventing data leaks to third parties.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🎤 Permissions Policy (Feature Policy)\u003C\u002Fstrong>\u003Cbr \u002F>\nBlock unauthorized access to sensitive browser features like camera, microphone, geolocation, and payment APIs – preventing malicious sites from accessing these features.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🍪 Secure Cookie Protection\u003C\u002Fstrong>\u003Cbr \u002F>\nAutomatically applies HttpOnly and Secure flags to session cookies, preventing JavaScript access and ensuring cookies are only sent over HTTPS.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>👻 Server Fingerprinting Protection\u003C\u002Fstrong>\u003Cbr \u002F>\nRemoves server signatures and version information that hackers use to identify vulnerabilities in your hosting setup.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>⚡ Essential Security Headers Included:\u003C\u002Fstrong>\u003Cbr \u002F>\n• X-Frame-Options: SAMEORIGIN (prevents clickjacking)\u003Cbr \u002F>\n• X-Content-Type-Options: nosniff (prevents MIME-type confusion attacks)\u003Cbr \u002F>\n• X-XSS-Protection: 1; mode=block (legacy XSS protection for older browsers)\u003C\u002Fp>\n\u003Cp>\u003Cstrong>💼 Perfect For:\u003C\u002Fstrong>\u003Cbr \u002F>\n• Business owners who want enterprise security without technical complexity\u003Cbr \u002F>\n• Developers building secure WordPress applications\u003Cbr \u002F>\n• Agencies managing multiple client sites\u003Cbr \u002F>\n• Anyone serious about website security\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🎯 Use Cases:\u003C\u002Fstrong>\u003Cbr \u002F>\n• E-commerce sites handling sensitive customer data\u003Cbr \u002F>\n• Membership sites with user logins\u003Cbr \u002F>\n• Business websites with contact forms\u003Cbr \u002F>\n• Blogs that want to protect visitor privacy\u003Cbr \u002F>\n• Development sites that need security during testing\u003C\u002Fp>\n\u003Cp>BaseCloud Security Manager is lightweight, efficient, and designed to integrate seamlessly into your WordPress admin experience without clutter or intrusive advertising.\u003C\u002Fp>\n\u003Ch3>Additional Information\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>🎯 Why Choose BaseCloud Security Manager?\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>✅ \u003Cstrong>Instant Protection\u003C\u002Fstrong> – Works immediately after activation\u003Cbr \u002F>\n✅ \u003Cstrong>Zero Learning Curve\u003C\u002Fstrong> – No technical knowledge required\u003Cbr \u002F>\n✅ \u003Cstrong>Enterprise Grade\u003C\u002Fstrong> – Same technology used by Fortune 500 companies\u003Cbr \u002F>\n✅ \u003Cstrong>Fully Customizable\u003C\u002Fstrong> – Advanced users have complete control\u003Cbr \u002F>\n✅ \u003Cstrong>Regular Updates\u003C\u002Fstrong> – Stay protected against emerging threats\u003Cbr \u002F>\n✅ \u003Cstrong>Expert Support\u003C\u002Fstrong> – Professional team ready to help\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🔗 Useful Links:\u003C\u002Fstrong>\u003Cbr \u002F>\n• \u003Cstrong>Documentation:\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fwww.basecloudglobal.com\u002Fsecurity-manager-docs\" rel=\"nofollow ugc\">BaseCloud Security Docs\u003C\u002Fa>\u003Cbr \u002F>\n• \u003Cstrong>Support:\u003C\u002Fstrong> support@basecloudglobal.com\u003Cbr \u002F>\n• \u003Cstrong>Security Testing:\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fobservatory.mozilla.org\" rel=\"nofollow ugc\">Mozilla Observatory\u003C\u002Fa>\u003Cbr \u002F>\n• \u003Cstrong>Header Verification:\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fsecurityheaders.com\" rel=\"nofollow ugc\">SecurityHeaders.com\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>🤝 Join Our Community:\u003C\u002Fstrong>\u003Cbr \u002F>\nConnect with other security-conscious WordPress users, get tips, and stay updated on the latest security trends.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>⭐ Love BaseCloud Security Manager?\u003C\u002Fstrong>\u003Cbr \u002F>\nHelp others discover enterprise-grade security by leaving a review. Your feedback helps us improve and helps other users make informed decisions about their website security.\u003C\u002Fp>\n\u003Cp>\u003Cem>Made with ❤️ by the BaseCloud Team – Securing WordPress sites worldwide since 2024\u003C\u002Fem>\u003C\u002Fp>\n","🛡️ Enterprise-grade WordPress security made simple. Implement military-standard HTTP security headers with zero technical knowledge required.",10,895,0,"2026-02-25T14:45:00.000Z","6.8.5","5.8","7.4",[19,20,21,22,23],"hardening","headers","hsts","security","xss","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbasecloud-security-manager.1.0.26.zip",100,null,"2026-03-15T15:16:48.613Z",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":33,"avg_security_score":26,"avg_patch_time_days":34,"trust_score":35,"computed_at":36},"basecloud",2,50,30,94,"2026-04-04T05:00:54.177Z",[38,59,80,97,113],{"slug":39,"name":40,"version":41,"author":42,"author_profile":43,"description":44,"short_description":45,"active_installs":46,"downloaded":47,"rating":48,"num_ratings":49,"last_updated":50,"tested_up_to":51,"requires_at_least":52,"requires_php":17,"tags":53,"homepage":57,"download_link":58,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"headers-security-advanced-hsts-wp","Headers Security Advanced & HSTS WP","5.2.5","Andrea Ferro","https:\u002F\u002Fprofiles.wordpress.org\u002Funicorn03\u002F","\u003Cp>\u003Cstrong>Headers Security Advanced & HSTS WP\u003C\u002Fstrong> is Best all-in-one a free plug-in for all WordPress users. Deactivating this plugin will return your site configuration exactly to the state it was in before.\u003C\u002Fp>\n\u003Cp>The \u003Cstrong>Headers Security Advanced & HSTS WP\u003C\u002Fstrong> project implements HTTP response headers that your site can use to increase the security of your website. The plug-in will automatically set up all Best Practices (you don’t have to think about anything), these HTTP response headers can prevent modern browsers from running into easily predictable vulnerabilities. The Headers Security Advanced & HSTS WP project wants to popularize and increase awareness and usage of these headers for all wordpress users.\u003C\u002Fp>\n\u003Cp>This plugin is developed by OpenHeaders by irn3, we care about WordPress security and best practices.\u003C\u002Fp>\n\u003Cp>Check out the best features of \u003Cstrong>Headers Security Advanced & HSTS WP:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>X-XSS-Protection (Deprecated)\u003C\u002Fli>\n\u003Cli>Pragma (Deprecated)\u003C\u002Fli>\n\u003Cli>Public-Key-Pins (Deprecated)\u003C\u002Fli>\n\u003Cli>Expect-CT (Deprecated)\u003C\u002Fli>\n\u003Cli>Access-Control-Allow-Origin\u003C\u002Fli>\n\u003Cli>Access-Control-Allow-Methods\u003C\u002Fli>\n\u003Cli>Access-Control-Allow-Headers\u003C\u002Fli>\n\u003Cli>X-Content-Security-Policy\u003C\u002Fli>\n\u003Cli>X-Content-Type-Options\u003C\u002Fli>\n\u003Cli>X-Frame-Options\u003C\u002Fli>\n\u003Cli>X-Permitted-Cross-Domain-Policies\u003C\u002Fli>\n\u003Cli>X-Powered-By\u003C\u002Fli>\n\u003Cli>Content-Security-Policy\u003C\u002Fli>\n\u003Cli>Referrer-Policy\u003C\u002Fli>\n\u003Cli>HTTP Strict Transport Security \u002F HSTS\u003C\u002Fli>\n\u003Cli>Content-Security-Policy\u003C\u002Fli>\n\u003Cli>Content-Security-Policy-Report-Only\u003C\u002Fli>\n\u003Cli>Clear-Site-Data\u003C\u002Fli>\n\u003Cli>Cross-Origin-Embedder-Policy-Report-Only\u003C\u002Fli>\n\u003Cli>Cross-Origin-Opener-Policy-Report-Only\u003C\u002Fli>\n\u003Cli>Cross-Origin-Embedder-Policy\u003C\u002Fli>\n\u003Cli>Cross-Origin-Opener-Policy\u003C\u002Fli>\n\u003Cli>Cross-Origin-Resource-Policy\u003C\u002Fli>\n\u003Cli>Permissions-Policy\u003C\u002Fli>\n\u003Cli>Strict-dynamic\u003C\u002Fli>\n\u003Cli>Strict-Transport-Security\u003C\u002Fli>\n\u003Cli>FLoC (Federated Learning of Cohorts)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Headers Security Advanced & HSTS WP\u003C\u002Fstrong> is based on \u003Cstrong>OWASP CSRF\u003C\u002Fstrong> to protect your wordpress site. Using OWASP CSRF, once the plugin is installed, it will provide full CSRF mitigation without having to call a method to use nonce on the output. The site will be secure despite having other vulnerable plugins (CSRF).\u003C\u002Fp>\n\u003Cp>HTTP security headers are a critical part of your website’s security. After automatic implementation with Headers Security Advanced & HSTS WP, they protect you from the most notorious types of attacks your site might encounter. These headers protect against XSS, code injection, clickjacking, etc.\u003C\u002Fp>\n\u003Cp>We have put a lot of effort into making the most important services operational with \u003Cstrong>Content Security Policy (CSP)\u003C\u002Fstrong>, below are some examples that we have tested and used with \u003Cstrong>Headers Security Advanced & HSTS WP\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>CSP usage for \u003Cstrong>Google Tag Manager\u003C\u002Fstrong>\u003Cbr \u002F>\nworld’s most popular tag manager\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Gravatar\u003C\u002Fstrong>\u003Cbr \u002F>\nAvatar service for WordPress and Social sites\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>WordPress Internal Media\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport WordPress media\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Youtube Embedded Video SDK\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport Youtube embedded frames and JS SDK\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>CookieLaw\u003C\u002Fstrong>\u003Cbr \u002F>\nprivacy technology to meet regulatory requirements\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Mailchimp\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport for Mailchimp automation, SDK and modules\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Google Analytics\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport for basic conversion domains such as: stats.g.doubleclick.net and www.google.com\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Google Fonts\u003C\u002Fstrong>\u003Cbr \u002F>\nyou’re not loading it on the page, chances are one of your SDKs is using it\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Facebook\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport Facebook SDK functionality\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Stripe\u003C\u002Fstrong>\u003Cbr \u002F>\nhighly secure online payment system\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>New Relic\u003C\u002Fstrong>\u003Cbr \u002F>\nit’s a registration and monitoring utility\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Linkedin Tags + SDKs\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport Linkedin Insight, Linkedin Ads and SDK\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>OneTrust\u003C\u002Fstrong>\u003Cbr \u002F>\nOneTrust support helps companies manage privacy requirements\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Moat\u003C\u002Fstrong>\u003Cbr \u002F>\nMoat support to measurement suite such as: ad verification, brand safety, advertising and coverage\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>jQuery\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport of jQuery – JS library\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Twitter Widgets & SDKs\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport Connect, Widgets and the Twitter client-side SDK\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Google Maps\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport Google Maps as The ggpht used by streetview\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Quantcast Choice\u003C\u002Fstrong>\u003Cbr \u002F>\nQuantcast support for privacy such as GDPR and CCPA\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Twitter Ads & Analytics\u003C\u002Fstrong>\u003Cbr \u002F>\nTwitter support for advertising and Analytics\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Paypal\u003C\u002Fstrong>\u003Cbr \u002F>\nPayPal support for online payment system\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Drift\u003C\u002Fstrong>\u003Cbr \u002F>\nDrift and Driftt support\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Cookiebot\u003C\u002Fstrong>\u003Cbr \u002F>\ncookie and tracker support, GDPR\u002FePrivacy and CCPA compliance\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Vimeo Embedded Videos SDK\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport frames, JS SDK, Froogaloop integration\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>AppNexus (now Xandr)\u003C\u002Fstrong>\u003Cbr \u002F>\nAppNexus support for custom retargeting\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Mixpanel\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport analytics tool with SDK\u002FJS to collect client-side data\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Font Awesome\u003C\u002Fstrong>\u003Cbr \u002F>\ntoolkit support for fonts and icons over CSS and Less\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Google reCAPTCHA\u003C\u002Fstrong>\u003Cbr \u002F>\nreCAPTCHA support for fraud and bot protection\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Bootstrap\u003C\u002Fstrong> CDN\u003Cbr \u002F>\nBootstrap support for CSS frameworks\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>HubSpot\u003C\u002Fstrong>\u003Cbr \u002F>\nHubspot support with many features, used for monitoring and mkt functionality\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Hotjar\u003C\u002Fstrong>\u003Cbr \u002F>\nHotjar tracker support for analytics and metrics\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>WP.com\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport for wp.com hosting\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Akamai mPulse\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport for Akamai mPulse, for origin and perimeter integrations\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Cloudflare – Rocket-Loader & Mirage\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport for Mirage libraries for performance acceleration\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Cloudflare – CDN.js\u003C\u002Fstrong>\u003Cbr \u002F>\nCloudflare’s open CDN support with multiple libraries\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>jsDelivr\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport jsDelivr free CDN for Open Source\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Headers Security Advanced & HSTS WP\u003C\u002Fstrong> is based on the OWASP CSRF standard to protect your wordpress site. Using the OWASP CSRF standard, once the plugin is installed, you can customize CSP rules for full CSRF mitigation. The site will be secure despite having other vulnerable plugins (CSRF).\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Integration with Sentry, Report URI, URIports and Datadog\u003C\u002Fstrong>\u003Cbr \u002F>\nSentry is a well-known platform for monitoring and tracking errors in applications. By integrating Sentry with our plugin, users can:\u003Cbr \u002F>\n  * Receive detailed reports on content security policy (CSP) violations.\u003Cbr \u002F>\n  * Monitor and analyze JavaScript exceptions occurring on their site.\u003Cbr \u002F>\n  * Benefit from advanced tools for proactive troubleshooting.\u003C\u002Fp>\n\u003Cp>Monitoring and Integration with Sentry, Datadog and URI Reports for optimal security.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>All Free Features\u003C\u002Fstrong>\u003Cbr \u002F>\nThe \u003Cstrong>Headers Security Advanced & HSTS WP\u003C\u002Fstrong> version includes all the free features.\u003C\u002Fp>\n\u003Cp>We have implemented \u003Cstrong>FLoC (Federated Learning of Cohorts)\u003C\u002Fstrong>, using best practices. First, using \u003Cstrong>Headers Security Advanced & HSTS WP\u003C\u002Fstrong> prevents the browser from including your site in the “cohort calculation” on \u003Cstrong>FLoC (Federated Learning of Cohorts)\u003C\u002Fstrong>. This means that nothing can call document.interestCohort() to get the FLoC ID of the currently used client. Obviously, this does nothing outside of your currently visited site and does not “disable” FLoC on the client beyond that scope.\u003C\u002Fp>\n\u003Cp>Even though \u003Cstrong>FLoC\u003C\u002Fstrong> is still fairly new and not yet widely supported, as programmers we think that privacy protection elements are important, so we choose to give you the feature of being opt out of FLoC! We’ve created a special \u003Cstrong>“automatic blocking of FLoC”\u003C\u002Fstrong> feature, trying to always \u003Cstrong>offer the best tool with privacy protection and cyber security\u003C\u002Fstrong> as main targets and focus.\u003C\u002Fp>\n\u003Cp>Analyze your site before and after using \u003Cem>Headers Security Advanced & HSTS WP\u003C\u002Fem> security headers are self-configured according to HTTP Security Headers and HTTP Strict Transport Security \u002F HSTS best practices.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Check HTTP Security Headers on \u003Ca href=\"https:\u002F\u002Fsecurityheaders.com\u002F\" rel=\"nofollow ugc\">securityheaders.com\u003C\u002Fa> \u003C\u002Fli>\n\u003Cli>Check HTTP Strict Transport Security \u002F HSTS at \u003Ca href=\"https:\u002F\u002Fhstspreload.org\u002F\" rel=\"nofollow ugc\">hstspreload.org\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Check WebPageTest at \u003Ca href=\"https:\u002F\u002Fwww.webpagetest.org\u002F\" rel=\"nofollow ugc\">webpagetest.org\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Check HSTS test website \u003Ca href=\"https:\u002F\u002Fgf.dev\u002Fhsts-test\u002F\" rel=\"nofollow ugc\">gf.dev\u002Fhsts-test\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Check CSP test website \u003Ca href=\"https:\u002F\u002Fcsper.io\u002Fevaluator\" rel=\"nofollow ugc\">csper.io\u002Fevaluator\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Check CSP Evaluator \u003Ca href=\"https:\u002F\u002Fcsp-evaluator.withgoogle.com\u002F\" rel=\"nofollow ugc\">csp-evaluator.withgoogle.com\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>CSP Content Security Policy Generator \u003Ca href=\"https:\u002F\u002Faddons.mozilla.org\u002Fen-US\u002Ffirefox\u002Faddon\u002Fcontent-security-policy-gen\u002F\" rel=\"nofollow ugc\">addons.mozilla.org\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin is updated periodically, our limited support is free, we are available for your feedback (bugs, compatibility issues or recommendations for next updates). We are usually fast :-D.\u003C\u002Fp>\n","Best all-in-one WordPress security plugin, uses HTTP & HSTS response headers to avoid vulnerabilities: XSS, injection, clickjacking. Force HTTP\u002FHTTPS.",90000,1308613,98,77,"2026-01-18T14:24:00.000Z","6.9.4","4.7",[54,55,20,56,21],"clickjacking","csp","headers-security","https:\u002F\u002Fopenheaders.org","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fheaders-security-advanced-hsts-wp.5.2.5.zip",{"slug":60,"name":61,"version":62,"author":63,"author_profile":64,"description":65,"short_description":66,"active_installs":67,"downloaded":68,"rating":69,"num_ratings":70,"last_updated":71,"tested_up_to":72,"requires_at_least":73,"requires_php":74,"tags":75,"homepage":24,"download_link":78,"security_score":79,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"csp-manager","Content Security Policy Manager","1.2.1","Patrick Sletvold","https:\u002F\u002Fprofiles.wordpress.org\u002F16patsle\u002F","\u003Cp>\u003Cstrong>Content Security Policy Manager\u003C\u002Fstrong> is a WordPress plugin that allows you to easily configure \u003Ca href=\"https:\u002F\u002Fdeveloper.mozilla.org\u002Fen-US\u002Fdocs\u002FWeb\u002FHTTP\u002FCSP\" rel=\"nofollow ugc\">Content Security Policy headers\u003C\u002Fa> for your site. You can have different CSP headers for the admin interface, the frontend for logged in users, and the frontend for regular visitors. The CSP directives can be individually enabled, and each policy can be set to enforce, report or be disabled.\u003C\u002Fp>\n\u003Cp>Please note that this plugin offers limited help in figuring out what the contents of the policy should be. It only lets you configure the CSP in a easy to use interface.\u003C\u002Fp>\n","Plugin for configuring Content Security Policy headers for your site. Allows different CSP headers for admin, logged inn frontend and regular visitors",2000,33739,86,6,"2022-08-09T17:33:00.000Z","6.1.10","4.6","7.2",[76,55,22,77,23],"content-security-policy","security-headers","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcsp-manager.1.2.1.zip",85,{"slug":81,"name":82,"version":83,"author":84,"author_profile":85,"description":86,"short_description":87,"active_installs":26,"downloaded":88,"rating":89,"num_ratings":32,"last_updated":90,"tested_up_to":91,"requires_at_least":92,"requires_php":74,"tags":93,"homepage":95,"download_link":96,"security_score":79,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"secure-http-headers","Secure HTTP Headers","1.0","shasha310","https:\u002F\u002Fprofiles.wordpress.org\u002Fshasha310\u002F","\u003Cp>Harden your web applications.\u003C\u002Fp>\n\u003Cp>HTTP header fields are components of the header section of request and response messages. The headers define the operating parameters of an HTTP transaction.\u003C\u002Fp>\n\u003Cp>Securing HTTP headers will improve the resilience of your web application against many common attacks including those that are on the OWASP top 10 list.\u003C\u002Fp>\n\u003Cp>Securing headers can also improve your SEO rank and in addition to preventing websites from being marked as dangerous by browsers and antivirus applications.\u003C\u002Fp>\n\u003Cp>Protect sensitive user information and be compliant with privacy regulations. Defend users from stealing private data by protecting website cookies. Use the proper directive such as “secure”, “httponly” and “samesite”, all of those will be applied automatically by “Secure HTTP Headers” plugin.\u003C\u002Fp>\n\u003Cp>Secure HTTP Headers will automatically analyze any website and will build up secure headers directives, by the latest best practice.\u003C\u002Fp>\n\u003Cp>In addition, Secure HTTP Headers offers fully configurable options, apply or skip any header directive as needed.\u003C\u002Fp>\n\u003Cp>Install and activate Secure HTTP Headers with full confidence, the deactivation of this plugin will return your website header directives to their original state.\u003C\u002Fp>\n\u003Ch3>Main plugin functionality\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\n\u003Cp>HTTP Strict Transport Security – helps to protect websites against man-in-the-middle attacks and cookie hijacking\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>X-Frame-Options – helps to protect users against ClickJacking attacks\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>X-Content-Type-Options  – helps to prevent the browser from MIME-sniffing\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Referrer-Policy – helps to control how much referrer information should be included with requests\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Clear-Site-Data – helps to ensure that data is deleted from the browser if the user logs out\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>X-Download-Options – helps to control how IE 8 will handle downloaded HTML files\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Access-Control-Allow-Origin – helps to ensure whether the response can be shared with requesting code from the given origin\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cross-Origin-Embedder-Policy – helps to prevent a document from loading any cross-origin resources that don’t explicitly grant the document permission\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Permissions-Policy – helps to allow and deny the use of browser features in its own frame, and in content within any iframe elements in the document\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cross-Origin-Opener-Policy – helps to protect websites against a set of cross-origin attacks dubbed XS-Leaks\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cross-Origin-Resource-Policy – helps to protect websites against speculative side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion attacks\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>X-Permitted-Cross-Domain-Policies – helps to control how cross-domain requests from Flash and PDF documents are handled\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cookie Http-Only flag – helps to protect websites against Cross-Site Scripting, or XSS attacks\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cookie Secure flag – helps to ensure that cookie is sent over a secure connection\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Cookie Samesite Lax flag – helps to protect websites against CSRF and XSSI attacks\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Expect-CT – helps to prevent the use of misissued certificates for a website. Note: The Expect-CT will likely become obsolete in June 2021\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>What are the optional extras?\u003C\u002Fh3>\n\u003Cp>Magnisec is offering “Secure HTTP Headers enhanced”\u003C\u002Fp>\n\u003Cp>A plugin that contains, in addition, an engine that watches and builds in any website changes a CSP – Content Security Policy that is best practice and recommended by all professional securities experts, that mitigate XSS -Cross site Scripting, one of the most common and destructive attacks.\u003C\u002Fp>\n\u003Cp>Price: 50$ \u002Fyear for a domain.\u003C\u002Fp>\n\u003Cp>More details and installation \u003Ca href=\"https:\u002F\u002Fmagnisec.com\" rel=\"nofollow ugc\">here\u003C\u002Fa>\u003C\u002Fp>\n","Secure HTTP headers - Essential, and easy.",2542,60,"2021-04-13T08:27:00.000Z","5.7.15","5.3",[94,19,20,22],"cookies","https:\u002F\u002Fmagnisec.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecure-http-headers.1.0.zip",{"slug":98,"name":99,"version":83,"author":100,"author_profile":101,"description":102,"short_description":103,"active_installs":26,"downloaded":104,"rating":13,"num_ratings":13,"last_updated":105,"tested_up_to":51,"requires_at_least":106,"requires_php":107,"tags":108,"homepage":111,"download_link":112,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"security-hardener","Security Hardener","Marc Armengou","https:\u002F\u002Fprofiles.wordpress.org\u002Fmarc4\u002F","\u003Cp>\u003Cstrong>Security Hardener\u003C\u002Fstrong> implements the official WordPress hardening guidelines from the \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fadvanced-administration\u002Fsecurity\u002Fhardening\u002F\" rel=\"nofollow ugc\">WordPress Advanced Administration \u002F Security \u002F Hardening\u003C\u002Fa> documentation. It uses WordPress core functions and follows best practices without modifying core files.\u003C\u002Fp>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>File Security:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Disable file editor in WordPress admin\u003Cbr \u002F>\n* Optionally disable all file modifications (blocks updates – use with caution)\u003C\u002Fp>\n\u003Cp>\u003Cstrong>XML-RPC Protection:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Disable XML-RPC completely (enabled by default)\u003Cbr \u002F>\n* Remove pingback methods\u003Cbr \u002F>\n* Disable self-pingbacks\u003C\u002Fp>\n\u003Cp>\u003Cstrong>User Enumeration Protection:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Block \u003Ccode>\u002F?author=N\u003C\u002Fcode> queries (returns 404)\u003Cbr \u002F>\n* Secure REST API user endpoints (require authentication)\u003Cbr \u002F>\n* Remove users from XML sitemaps\u003Cbr \u002F>\n* Prevent canonical redirects that expose usernames\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Login Security:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Generic error messages (no username\u002Fpassword hints)\u003Cbr \u002F>\n* IP-based rate limiting with configurable thresholds\u003Cbr \u002F>\n* Security event logging (last 100 events)\u003Cbr \u002F>\n* Automatic blocking after failed attempts\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Security Headers:\u003C\u002Fstrong>\u003Cbr \u002F>\n* \u003Ccode>X-Frame-Options: SAMEORIGIN\u003C\u002Fcode> (clickjacking protection)\u003Cbr \u002F>\n* \u003Ccode>X-Content-Type-Options: nosniff\u003C\u002Fcode> (MIME sniffing protection)\u003Cbr \u002F>\n* \u003Ccode>Referrer-Policy: strict-origin-when-cross-origin\u003C\u002Fcode>\u003Cbr \u002F>\n* \u003Ccode>Permissions-Policy\u003C\u002Fcode> (restricts geolocation, microphone, camera)\u003Cbr \u002F>\n* Optional HSTS (HTTP Strict Transport Security) for HTTPS sites\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Additional Hardening:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Hide WordPress version\u003Cbr \u002F>\n* Clean up \u003Ccode>wp_head\u003C\u002Fcode> output\u003Cbr \u002F>\n* Remove unnecessary meta tags and links\u003Cbr \u002F>\n* Security event logging system\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>⚠️ \u003Cstrong>Important:\u003C\u002Fstrong> Always test security settings in a staging environment first. Some features may affect third-party integrations or plugins.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>\u003Cstrong>Privacy:\u003C\u002Fstrong> This plugin does not send data to external services and does not create custom database tables. It stores plugin settings and a security event log in the WordPress options table, and uses transients for temporary login attempt tracking. All data is deleted on uninstall.\u003C\u002Fp>\n","Basic hardening: secure headers, user enumeration blocking, generic login errors, IP-based rate limiting, and WordPress security improvements.",496,"2026-03-05T12:13:00.000Z","6.9","8.2",[109,19,20,110,22],"brute-force","login-protection","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fsecurity-hardener\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecurity-hardener.1.0.zip",{"slug":114,"name":115,"version":17,"author":116,"author_profile":117,"description":118,"short_description":119,"active_installs":120,"downloaded":121,"rating":13,"num_ratings":13,"last_updated":122,"tested_up_to":15,"requires_at_least":123,"requires_php":74,"tags":124,"homepage":126,"download_link":127,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"security-headers-caching","Security Headers & Caching","Studio Be4","https:\u002F\u002Fprofiles.wordpress.org\u002Fstudiobe4\u002F","\u003Cp>Security Headers & Caching is a comprehensive WordPress plugin that helps protect your website by implementing essential HTTP security headers and optimizing performance through intelligent caching mechanisms. Compatible with all hosting providers including Aruba, SiteGround, Bluehost, and more.\u003C\u002Fp>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Easy Configuration\u003C\u002Fstrong> – Simple admin interface to enable\u002Fdisable security headers\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple Security Headers\u003C\u002Fstrong> – Comprehensive security header support\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Smart Caching\u003C\u002Fstrong> – Configurable cache duration for better performance\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Universal Compatibility\u003C\u002Fstrong> – Works with all hosting providers\u003C\u002Fli>\n\u003Cli>\u003Cstrong>No Conflicts\u003C\u002Fstrong> – Compatible with popular security and caching plugins\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Translation Ready\u003C\u002Fstrong> – Full internationalization support\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Security Headers Included\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>X-Powered-By\u003C\u002Fstrong> – Removes server technology information to prevent targeted attacks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Content-Security-Policy (CSP)\u003C\u002Fstrong> – Controls which resources can be loaded to prevent XSS attacks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Strict-Transport-Security (HSTS)\u003C\u002Fstrong> – Forces HTTPS connections for enhanced security\u003C\u002Fli>\n\u003Cli>\u003Cstrong>X-XSS-Protection\u003C\u002Fstrong> – Enables XSS filtering in older browsers\u003C\u002Fli>\n\u003Cli>\u003Cstrong>X-Frame-Options\u003C\u002Fstrong> – Prevents clickjacking attacks by controlling iframe embedding\u003C\u002Fli>\n\u003Cli>\u003Cstrong>X-Content-Type-Options\u003C\u002Fstrong> – Prevents MIME type sniffing\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Referrer-Policy\u003C\u002Fstrong> – Controls how much referrer information is shared\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Permissions-Policy\u003C\u002Fstrong> – Controls browser features and APIs\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Caching Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Configurable cache duration (seconds)\u003C\u002Fli>\n\u003Cli>Automatic cache headers management\u003C\u002Fli>\n\u003Cli>Compatible with CDN services\u003C\u002Fli>\n\u003Cli>No conflict with existing cache plugins\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Why Security Headers Matter\u003C\u002Fh4>\n\u003Cp>Security headers are HTTP response headers that tell your browser how to behave when handling your website’s content. They help protect against:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Cross-Site Scripting (XSS) attacks\u003C\u002Fli>\n\u003Cli>Clickjacking attempts\u003C\u002Fli>\n\u003Cli>Code injection attacks\u003C\u002Fli>\n\u003Cli>MIME type sniffing\u003C\u002Fli>\n\u003Cli>Protocol downgrade attacks\u003C\u002Fli>\n\u003Cli>And much more…\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Developer Friendly\u003C\u002Fh4>\n\u003Cp>The plugin provides filters for developers to customize headers:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>shc_security_headers\u003C\u002Fcode> – Filter to modify security headers array\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Test Your Security\u003C\u002Fh4>\n\u003Cp>After installing and configuring the plugin, test your site’s security at:\u003Cbr \u002F>\n* \u003Ca href=\"https:\u002F\u002Fsecurityheaders.com\u002F\" rel=\"nofollow ugc\">Security Headers\u003C\u002Fa>\u003Cbr \u002F>\n* \u003Ca href=\"https:\u002F\u002Fobservatory.mozilla.org\u002F\" rel=\"nofollow ugc\">Mozilla Observatory\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>Privacy\u003C\u002Fh4>\n\u003Cp>This plugin does not collect, store, or transmit any user data. It only modifies HTTP response headers sent by your server.\u003C\u002Fp>\n\u003Ch3>Developer Documentation\u003C\u002Fh3>\n\u003Ch4>Filters\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>shc_security_headers\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Modify the security headers before they are sent.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter( 'shc_security_headers', function( $headers ) {\n    \u002F\u002F Add custom header\n    $headers['X-Custom-Header'] = 'custom-value';\n\n    \u002F\u002F Modify existing header\n    $headers['X-Frame-Options'] = 'DENY';\n\n    return $headers;\n} );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Constants\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ccode>SHC_VERSION\u003C\u002Fcode> – Plugin version number\u003C\u002Fli>\n\u003Cli>\u003Ccode>SHC_PLUGIN_DIR\u003C\u002Fcode> – Plugin directory path\u003C\u002Fli>\n\u003Cli>\u003Ccode>SHC_PLUGIN_URL\u003C\u002Fcode> – Plugin directory URL\u003C\u002Fli>\n\u003Cli>\u003Ccode>SHC_PLUGIN_BASENAME\u003C\u002Fcode> – Plugin basename\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>For support, feature requests, or bug reports, please visit:\u003Cbr \u002F>\n* \u003Ca href=\"https:\u002F\u002Fwww.studiobe4.it\" rel=\"nofollow ugc\">Plugin Website\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>Developed by \u003Ca href=\"https:\u002F\u002Fwww.studiobe4.it\" rel=\"nofollow ugc\">Studio Be4\u003C\u002Fa> – Web Design & Development Agency\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is licensed under the GPLv2 or later.\u003C\u002Fp>\n","Enhance your WordPress site security with HTTP security headers and improve performance with smart caching. Works with all hosting providers.",20,846,"2025-10-08T11:04:00.000Z","5.9",[125,55,20,21,22],"cache","https:\u002F\u002Fwww.studiobe4.it\u002Fsecurity-headers-caching","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecurity-headers-caching.7.4.zip",{"attackSurface":129,"codeSignals":161,"taintFlows":211,"riskAssessment":239,"analyzedAt":255},{"hooks":130,"ajaxHandlers":157,"restRoutes":158,"shortcodes":159,"cronEvents":160,"entryPointCount":13,"unprotectedCount":13},[131,137,141,145,149,153],{"type":132,"name":133,"callback":134,"file":135,"line":136},"action","init","early_init_tasks","basecloud-security-manager-bc.php",37,{"type":132,"name":138,"callback":139,"file":135,"line":140},"admin_menu","add_admin_menu",38,{"type":132,"name":142,"callback":143,"file":135,"line":144},"admin_init","settings_init",39,{"type":132,"name":146,"callback":147,"file":135,"line":148},"send_headers","add_security_headers",40,{"type":132,"name":150,"callback":151,"file":135,"line":152},"wp_loaded","maybe_force_ssl",41,{"type":132,"name":154,"callback":155,"file":135,"line":156},"admin_enqueue_scripts","enqueue_admin_styles",42,[],[],[],[],{"dangerousFunctions":162,"sqlUsage":180,"outputEscaping":182,"fileOperations":209,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":210},[163,168,171,174,177],{"fn":164,"file":165,"line":166,"context":167},"exec","deploy.php",92,"exec('git add .', $output, $return_code);",{"fn":164,"file":165,"line":169,"context":170},101,"exec(\"git commit -m \\\"{$commit_message}\\\"\", $output, $return_code);",{"fn":164,"file":165,"line":172,"context":173},109,"exec(\"git tag v{$new_version}\", $output, $return_code);",{"fn":164,"file":165,"line":175,"context":176},117,"exec('git push origin local', $output, $return_code);",{"fn":164,"file":165,"line":178,"context":179},125,"exec(\"git push origin v{$new_version}\", $output, $return_code);",{"prepared":13,"raw":13,"locations":181},[],{"escaped":183,"rawEcho":184,"locations":185},11,12,[186,189,191,193,195,197,198,199,201,203,205,207],{"file":135,"line":187,"context":188},527,"raw output",{"file":135,"line":190,"context":188},541,{"file":135,"line":192,"context":188},555,{"file":135,"line":194,"context":188},557,{"file":135,"line":196,"context":188},586,{"file":165,"line":140,"context":188},{"file":165,"line":144,"context":188},{"file":165,"line":200,"context":188},65,{"file":165,"line":202,"context":188},70,{"file":165,"line":204,"context":188},82,{"file":165,"line":206,"context":188},114,{"file":165,"line":208,"context":188},135,7,[],[212,231],{"entryPoint":213,"graph":214,"unsanitizedCount":229,"severity":230},"maybe_force_ssl (basecloud-security-manager-bc.php:639)",{"nodes":215,"edges":226},[216,221],{"id":217,"type":218,"label":219,"file":135,"line":220},"n0","source","$_SERVER['HTTP_HOST']",645,{"id":222,"type":223,"label":224,"file":135,"line":220,"wp_function":225},"n1","sink","wp_redirect() [Open Redirect]","wp_redirect",[227],{"from":217,"to":222,"sanitized":228},false,1,"medium",{"entryPoint":232,"graph":233,"unsanitizedCount":229,"severity":230},"\u003Cbasecloud-security-manager-bc> (basecloud-security-manager-bc.php:0)",{"nodes":234,"edges":237},[235,236],{"id":217,"type":218,"label":219,"file":135,"line":220},{"id":222,"type":223,"label":224,"file":135,"line":220,"wp_function":225},[238],{"from":217,"to":222,"sanitized":228},{"summary":240,"deductions":241},"The 'basecloud-security-manager' plugin version 1.0.26 exhibits a mixed security posture. On the positive side, there are no recorded vulnerabilities (CVEs), no raw SQL queries, and the plugin does not make external HTTP requests, all of which are strong indicators of good security practices. The absence of a large attack surface through AJAX, REST API, shortcodes, or cron events is also a strength.\n\nHowever, significant concerns arise from the static code analysis. The presence of five instances of the 'exec' function is a major red flag, as this function can be exploited to execute arbitrary operating system commands if user-supplied input is not rigorously sanitized. Furthermore, the taint analysis reveals two flows with unsanitized paths, indicating potential for these dangerous functions to be triggered by malicious input. The low percentage (48%) of properly escaped outputs also suggests a risk of Cross-Site Scripting (XSS) vulnerabilities. The complete lack of nonce and capability checks on potential entry points, although the attack surface is currently reported as zero, means any future additions could be vulnerable without these essential security measures.\n\nGiven the absence of past vulnerabilities, it's difficult to definitively assess the plugin's historical security track record. However, the current code analysis highlights critical areas that require immediate attention. The potential for command injection via 'exec' and XSS via unescaped output, coupled with the lack of authorization checks and sanitization on identified data flows, presents a significant risk. While the plugin has strengths in areas like SQL query handling and external requests, the identified code-level weaknesses overshadow these positives, necessitating a cautious approach to its use.",[242,245,247,250,253],{"reason":243,"points":244},"Dangerous function 'exec' found",15,{"reason":246,"points":184},"Taint flows with unsanitized paths",{"reason":248,"points":249},"Low percentage of properly escaped output",8,{"reason":251,"points":252},"No nonce checks",5,{"reason":254,"points":252},"No capability checks","2026-03-17T00:11:20.128Z",{"wat":257,"direct":263},{"assetPaths":258,"generatorPatterns":260,"scriptPaths":261,"versionParams":262},[259],"\u002Fwp-content\u002Fplugins\u002Fbasecloud-security-manager\u002Fbasecloud-security-manager.php",[],[],[],{"cssClasses":264,"htmlComments":275,"htmlAttributes":276,"restEndpoints":277,"jsGlobals":278,"shortcodeOutput":279},[265,266,267,268,269,270,271,272,273,274],"bc-wrap","bc-container","bc-header","bc-header-left","bc-logo","bc-version","bc-grid","bc-stat","bc-stat-label","bc-stat-val",[],[],[],[],[]]