SecuPress v2.3 aka Starboost

This v2.3 may be the best version of SecuPress ever, read that again.

Starboost 2.3

Starboost, codename for this v2.3, is my favorite Iron Man Armor, and this 2.3 is also my favorite version of SecuPress, both free and pro one. But why?

Not only because it took me time (again), but by its efficiency and all the hard work i’ve put in it.

As always, I stay updated on Web Security and mainly on WP Security, I audit and clean hacked websites so I encounter a lot of malwares, old and new. The new ones are the ones that makes this version very good, paradoxal uh.

Each time I find a new type of malware dedicated to hack a WP site, I try to find how to counter it using SecuPress. Sometimes it’s just a malware signature in my malware database, but sometimes, I have to do way more.

So let’s see some of the new and revamped features, if you want to read the full changelog, go.

New features

Databases Autoupdates

Our databases of malwares or keywords, etc are now stored here at secupress.me. Your license will now connect and grad our data to update yours, without to wait for a new version of SecuPress (happily).

This is a major great point in this 2.3 pro version. For free users, the databases are already included in the plugin, but you’ll have to wait an update to get the last ones, I promise to try to update oftener.

Dashboard Widget

Since SecuPress 1.0 this is a feature I wanted to add, why waiting so long? Don’t ask, just appreciate 😉 haha

Not sexy, but do the job!

License Status

Not related to your security, but pro user can now check the license status and how many websites are left on.

Single Sign-On (SSO)

If you have a multisite with the Move Login Page module enabled, you may have noticed that if you change sites while you’re a member of those sites, you’ll get an error page indicating that you don’t have the correct URL, or that you don’t have a current session on that site.

With this SSO feature enabled, your session will be automatically transferred to the other sites, allowing you to log in anywhere on the multisite in question—a very useful way to save time while maintaining security.

single sso

Password Spraying

As a new option under the Login Control settings, you’ll find a Password Spraying protection. You may not know or even heard about that, let me explain quickly.

A Brute Force Attack is when an atacker got a login and try to find the password by trying to log in using a ton of different passwords.

A Password Spraying Attack is when an atacker got a password and try to find the login by trying to log in using a ton of different logins.

Kind of the opposite. If the attacker already have all the logins from your site (hello REST API), they will just try 1 same password on each different login, so, none of the account got flagged as “Brute forced”, because they’re not.

Activate this feature will prevent Password Spraying Attacks, we even use the Levenshtein Distance Algorithm to enlarge the detection.

Force Reset Password

In case of hacking, or suspicion of account hacking, you can now reset everyone’s password in 1 click. by checking the box, they’ll receive an email informing them about that.

Take care, if you have many users, your host could block the mail function or event the whole website.

Force Logout Everyone

In the same idea, you may need to disconnect everyone, because reseting password does not logout people from their account. You can now do it in 1 click, everyone will be logged out but you.

Forbid Bad Email Domains

With Forbid Bad Email Domains, SecuPress will check if the domain used by the user exists and can deliver emails, because not every domain name can, and of course, a fake one cannot.

With this feature, you’ll block fake account, fake clients, and bots. In the wild, fake accounts and bots sometimes create random email address that leads nowhere to erase traces.

This feature autoupdates itself from our distant database.

Forbid Same Email Domain

This Forbid Same Email Domain feature is available for free users too, nothing from our database, we just do the same check as before but locally if a user’s email address is trying to use your domain name, it will be refused. Existing users will not be affected, only future ones.

If you need to add a legit user with your domain name as email, deactivate the feature, create them, reactivate.

In the wild, fake accounts are tend to use you domain name to bypass some verification and seem more legit from administrators.

Reinstall All Your Plugins

In one click, you can reinstall a fresh and updated version of all your plugins (if they are coming from wp.org or if the premium plugin if correctly dev to grab from their server).

This is a powerful feature when a hacking suspicion is coming from a plugin modified by a malware.

Scripts Concatenation

WordPress has a vulnerability, yep, since years now and it won’t be fixed. Don’t ask me why. Here is the CVE-2018-6389, the vulnerability is an Uncontrolled Resource Consumption.

We can counter that just by setting a native constant name CONCATENATE_SCRIPTS on FALSE. Now instead of having a php file concatenating each js or css file passed as a parameter, each file will be loaded one by one.

If you’re using a File Cache Plugin, they may merge them into one, which is better regarding the security.

Skip New Bundles

Each time you update WordPress, it’s refill your themes with the new one à-la-mode, and why not Hello F Dolly. Using the feature Skip New Bundles, a native WP constant again, this won’t happen again.

Talking about security, not having hello.php can prevent simple hacking where this plugin is included and the plugin modified by a malware, same for the themes you don’t use.

Improved Features

Session Control

We’ve added a Last Login information under the sessions button, now you can quickly check for each account when was the last time the log-in was a success.

Captcha V2

Our old Captcha was effective, but an attacker could still Brute Force the login page, even if a Captcha is not fully designed to prevent that, this was considered a vulnerability by our partner Patchstack.

The Captcha has been revamped into 2 Captchas and doesn’t need JavaScript anymore, CSS is powerful enough to handle my needs.

This is still available for free users.

Simple : The one that replace the previous one, but even more simple. Users don’t have to check, the check will check itself after a small time and will be disabled after a too long wait.

Challenge : You select your favorite emoji set and the visitor will be asked to select one of the item, not too quickly, not too waity.

The emoji design is linked to the visitor’s browser, so they already know/recognize them. I love the pig 🙂

Force Strong Password

The Force Strong Password feature looks the same but inside, this is whole brand new. Before this feature was useful when a new user was created or when a user wanted to update their password.

Why only these 2 cases? Because we do not have access to their raw password. Don’t we??

We do! We do when the user is logging in! So now, when a user using a weak password is logging in, we force them to change it for a better one. Still, even if we read your password, we do NOT store it, we just locally run a PHP algorithm on the password from the login form, that’s it, still secure, no data loss possible.

Forbid User Creation

Forbid User Creation is now accessible under the new feature Protect User Creation, this (Protect User Creation) is my favorite feature in SecuPress Pro 2.3, and second one in all SecuPress Pro after de Malware Scanner.

This feature has been tested on many client sites before arriving here, I’ve used it personally to prevent hack on sites during 2024.

This feature deserves a blog post, so, let me create it : SecuPress 2.3 and the awesome Protect User Creation Feature.

Forbid Bad Usernames

The Forbid Bad Usernames feature will be followed by 2 settings.

Forbid “admin” usernames : Not only “admin” that is already managed by SecuPress correctly, but any other login that is using “admin” in their name. In the wild, some accounts are using “admin” in the login to seem more legit.

Rename the users nickname : This is the same as the plugin named “SX User Name Security” where I’m co-author with my friend Daniel. If a user is created or updated with their display name as the same as their login, they will be renamed with something humanly readable like “Jocosi R. Oditijumaji“.

Plugin Actions

Before 2.3 this feature was cut in 4 and only the first one was accessible to free users, see:

Since 2.3, the 4 features are now merged into 1 and now accessible to free users!

1 checkbox do to the job of 4, because, who checked less than 4 when 4 were available? Raise your hand!

Theme Actions

Same thing but for your themes.

Display All Plugins

New malware as plugin tends to hide themselves in the admin page. This Display All feature will try to force every plugin to be shown on the main page, even the pagination has gone. Here’s an example with plugins hidden with JS or CSS:

As you can see, SecuPress is displaying all plugins, even the hidden one using CSS display:none rule, it can do the same with JS, even if removed using jQuery.remove(), or even PHP using a filter with unset(), very powerful.

Monitor Vulnerable Plugins

This feature hasn’t been directly modified, but it now includes a new monitoring for every plugin from wp.org. It will check if the plugin has been removed or not updated since 2 years or more and notify you in the dashboard. Not uncheckable.

Monitor Vulnerable Themes

Same thing but for your themes.

Database Errors

This Database Errors features has been greatly modified because previously we forced the DB errors not to be displayed, of course, displaying any DB information is a Disclose Flaw.

But sometimes your site is not reachable, for like 5 seconds, a host issue, or just a server reboot, and then it’s ok again, BUT, spoiler alert, your DB_HOST is displayed by WordPress in front of everyone, we fixed that.

As you can see, there is no leak anymore, we display DB_HOST and not the value of the DB_HOST constant. Another WP Flaw patched by SecuPress 😉

Author Base Page

The ideas of hiding things is not my favorite ones, but still can be helpful in some way, so on demand I’ve added the possibility to change the slug base for authors, this is a feature from the plugin “SF Author URL Control”.

Bad URL Access and File Extensions

This was only called “Bad URL Access” previously and the “Bad File Extensions” was part of the Files module.

But now instead of having a list of unauthorized URLs and files extensions, I’ve modified the behaviour to have a authorized only list. So by default, everything that is NOT WordPress related is blocked.

This can cause many errors ont your site at first, but if you have some custom folders or scripts, you will have to add it in the custom list of Allowed Urls:

This is way more secure even if at first it can be painful to setup. I know by experience that this method is way more effective, you can even have a breach, being exploited BUT finally the hack in place is non exploitable, thanks to this feature.

Block Bad Request Methods

This feature is gone, deleted, like some have been in the past. Like I said, updating a plugin, a product, is not just adding things, if it’s not helpful anymore, deleting it is a good choice. Next!

Block AI Bots

AI is everywhere these days, you can’t miss it or maybe you lived in a caved a few years. AI is a great tool, but when AI comes on your site to steal your contents, it’s not that good. You can simply block about 200 AI user agents in one click now.

Block Requests that Contains Functions Names

This is currently under test in beta. I’m using it, but still have false positive sometimes, it depends on the other installed plugins of course. If you use it and encounter some issues, please drop us a message. Since it’s in beta, if your issue is blocking you, just deactivate this feature. Maybe we will remove it later, or keep it if correctly effective.

How does this work: Many malware files do not want to be scanned and tagged as “bad” because we find some PHP functions inside, so they use a trick: they simply prepend the functions in your URLs, their scripts will read that and run the functions.

But with this feature, we will prevent any function name in the URL. The issue is when a plugin is using a function name not for the function itself but just for a slug, this is the issue…

SSL

A new whole module page, here you can find anything related to HTTPS/SSL, from forcing the SSL, redirecting the requests, or fix the mixed content. If your site already have a SSL Certificate (contact your host) tou don’t need any other plugin with “SSL” in its name (see who I mean?).

Anti-Phishing User Protection

Phishing is still an active way to hack people, more than you may think. This feature is simple to understand, you can setup a code in your profile (and 1 for the site admin) so when this Website is sending you an email it will include your own code at the end of the message, so you KNOW that is a legit email coming from your site and not an email trying to lure you.

Malware Scanner

It’s not new, but improved! The main thing is now you have 3 scanners: Files, DB, and Spam Content. Also, before 2.3, you had to wait for a SecuPress update to get the new malwares signatures, now, each week you got them! Our automatic data content update is included in the pro version.

Add-ons

We’re happy to recommend (not affiliated, not even paid for it) our friend from WP Umbrella!

Our Pro Services

Since we offer other services, we included a page with them, feel free to browse and contact us when needed.

What’s missing?

The 2FA module, Two Authentification Factor have been revamped and is great, BUT, I can’t understand why, is not working with WP 6.7 and more. So, I have to delay this one. Also, WP is working on implementing a 2FA module in the WP core. I’ve tested it, work fine, but I prefer mine, better UI/UX. Still, does not work yet :'(

NEXT

The todo list for 2.4 is still full of nice things to come up, the priority is stability, and following the Web Security in 2025+, watching what kind of malwares are up, and fight them as usual.

Remember that one of the best features of this version is that you won’t have to way another version update to get the last data updated, it’s now automatically grabbed from this site 52 times per year :O

BUGS?

Yes, there was, there is, there will, as always. Any update can contain bugs, if you encounter one, drop us a support at support@secupress.me thank you for your report and your patience.