Security & Performance
Security hardening with WPS Hide Login, WP 2FA, Activity Log, and Headers Security. Performance optimization with WP Smush Pro and WP Rocket.
Overview
StealthCam implements a comprehensive security and performance stack to protect customer data, prevent attacks, and deliver fast page load times.
Security Plugins
WPS Hide Login v1.9.17.1
Plugin: WPS Hide Login
Location: wp-content/plugins/wps-hide-login/
Purpose
Change the WordPress login URL from the default /wp-admin and /wp-login.php to a custom path, preventing automated bot attacks and brute force attempts.
Features
- Custom Login URL - Hide default login page
- 404 on Default URLs - Return 404 for
/wp-adminand/wp-login.phpwhen not logged in - Redirects - Redirect to custom URL
- White Label - Remove WordPress branding from login
Configuration
Admin: Settings → WPS Hide Login
Custom Login Slug: stealth-admin (example - actual value kept private)
Custom Login URL: https://stealthcam.com/stealth-admin
Access Control
Logged Out Users:
/wp-admin→ 404 error/wp-login.php→ 404 error/stealth-admin→ Login page
Logged In Users:
/wp-admin→ WordPress admin/stealth-admin→ Redirect to dashboard
Security Benefits
- Prevents Brute Force Attacks - Bots can't find login page
- Reduces Server Load - Fewer automated login attempts
- Obscures WordPress - Makes it harder to identify CMS
Recovery
If custom login URL is forgotten:
Via FTP/SFTP:
- Rename plugin folder:
wps-hide-login→wps-hide-login-disabled - Access
/wp-login.php(now accessible) - Login and reset settings
- Rename plugin folder back
Via wp-config.php:
// Temporarily disable plugin
define('WPS_HIDE_LOGIN_DISABLED', true);
WP 2FA v2.8.0
Plugin: WP 2FA – Two-Factor Authentication
Location: wp-content/plugins/wp-2fa/
Purpose
Add two-factor authentication (2FA) for admin accounts to prevent unauthorized access even if passwords are compromised.
Features
- TOTP Support - Time-based one-time passwords (Google Authenticator, Authy, etc.)
- Email Codes - OTP via email
- Backup Codes - One-time recovery codes
- Role-Based Enforcement - Require 2FA for specific roles
- Grace Period - Allow time for users to set up 2FA
- Trusted Devices - Skip 2FA for 30 days on trusted devices
Configuration
Admin: Settings → WP 2FA
2FA Policy:
- Enforcement: Required for Administrators and Editors
- Grace Period: 7 days
- Methods Allowed: TOTP (Google Authenticator), Email
- Trusted Devices: Enabled (30-day trust)
- Backup Codes: 10 codes generated per user
User Setup Flow
-
First Login After Enforcement:
- User prompted to set up 2FA
- Choose TOTP or Email method
-
TOTP Setup:
- Scan QR code with authenticator app
- Enter verification code to confirm
- Generate backup codes
-
Subsequent Logins:
- Enter username/password
- Enter 6-digit TOTP code or email code
- Optionally trust device for 30 days
Backup Codes
Generation: 10 one-time codes created during setup
Usage: Each code works once, for emergency access if authenticator device is unavailable
Regeneration: User can regenerate codes from profile page
Security Benefits
- Prevents Credential Theft - Password alone is insufficient
- Protects Against Phishing - TOTP codes change every 30 seconds
- Compliance - Meets security standards for sensitive data
WP Activity Log v5.3.3
Plugin: WP Activity Log (formerly WP Security Audit Log)
Location: wp-content/plugins/wp-security-audit-log/
Purpose
Comprehensive activity logging for WordPress admin actions, user logins, content changes, and security events.
Features
- User Activity Tracking - Login/logout, role changes
- Content Change Logs - Post/page edits, deletions
- Plugin/Theme Activity - Installations, activations, updates
- Database Changes - Settings modifications
- Failed Login Attempts - Brute force detection
- File Integrity Monitoring - Core file changes
- Search & Filtering - Find specific events
- Email Notifications - Alert on critical events
- Reports - Generate activity reports
Logged Events
User Events:
- User login/logout
- Failed login attempts
- User created/deleted
- Role changed
- Profile updated
- Password reset
Content Events:
- Post/page created/updated/deleted
- Post status changed (draft, publish, etc.)
- Category/tag created/modified
- Media uploaded/deleted
Admin Events:
- Plugin installed/activated/deactivated/deleted
- Theme changed
- Widget added/removed
- Menu updated
- Settings changed
Security Events:
- Failed login attempts (username, IP)
- File changes in core/plugin/theme directories
- Database table changes
- Admin created
- Administrator role granted
Event Log Viewer
Location: Activity Log → Log Viewer
Columns:
- Event ID - Unique event code
- Severity - Critical, High, Medium, Low
- Date & Time - Timestamp
- User - Username (or IP if not logged in)
- Event - Description of action
- Object - Affected content/setting
Example Events:
[1001] User logged in
User: john_admin
IP: 192.168.1.100
Time: 2026-04-20 10:30:45
[2001] Post published
User: jane_editor
Post: "New Trail Camera Review"
Time: 2026-04-20 11:15:20
[6007] Plugin activated
User: john_admin
Plugin: WP Rocket
Time: 2026-04-20 14:45:10
[1002] Failed login attempt
Username: admin (invalid)
IP: 203.0.113.50
Time: 2026-04-20 15:30:00
Alerts & Notifications
Email Alerts: Triggered on critical events
Alert Criteria:
- Failed login attempts (5+ from same IP)
- User role changed to Administrator
- Plugin installed by non-admin
- Core file modified
- Critical setting changed
Email Recipients: Primary admin email
Retention Policy
Storage: MySQL database table
Retention: 6 months (automatically purges older logs)
Backup: Export logs to CSV before purge
Headers Security Advanced & HSTS WP v5.0.42
Plugin: Headers Security Advanced & HSTS WP
Location: wp-content/plugins/headers-security-advanced-hsts-wp/
Purpose
Implement security headers to protect against XSS, clickjacking, MIME sniffing, and other web vulnerabilities.
Security Headers Configured
1. HTTP Strict Transport Security (HSTS)
Header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Purpose: Force HTTPS connections, prevent SSL stripping attacks
Settings:
- Max age: 365 days (31536000 seconds)
- Include subdomains: Yes
- Preload: Yes (submitted to HSTS preload list)
2. X-Frame-Options
Header: X-Frame-Options: SAMEORIGIN
Purpose: Prevent clickjacking attacks by controlling iframe embedding
Options:
DENY- No iframe embedding allowedSAMEORIGIN- Only same-domain iframes (used for StealthCam)ALLOW-FROM- Specific domain whitelist
3. X-Content-Type-Options
Header: X-Content-Type-Options: nosniff
Purpose: Prevent MIME type sniffing, force declared content types
4. X-XSS-Protection
Header: X-XSS-Protection: 1; mode=block
Purpose: Enable browser's built-in XSS filter (legacy browsers)
5. Referrer-Policy
Header: Referrer-Policy: strict-origin-when-cross-origin
Purpose: Control referrer information sent to external sites
Options:
no-referrer- Never send referrersame-origin- Send only for same-origin requestsstrict-origin-when-cross-origin- Send origin for HTTPS→HTTPS (used)
6. Content-Security-Policy (CSP)
Header: Content-Security-Policy: [policy directives]
Purpose: Prevent XSS by controlling resource loading
Policy (example):
Content-Security-Policy:
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://www.googletagmanager.com
https://static.klaviyo.com
https://connect.facebook.net;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
img-src 'self' data: https: blob:;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self'
https://api.bigcommerce.com
https://analytics.klaviyo.com;
frame-src 'self' https://checkout.bigcommerce.com;
Directives:
default-src 'self'- Only load resources from same origin by defaultscript-src- Allowed script sources (GTM, Klaviyo, Facebook)style-src- Allowed CSS sources (Google Fonts)img-src- Allowed image sources (any HTTPS, data URIs)connect-src- Allowed AJAX/fetch destinations (BigCommerce API)frame-src- Allowed iframe sources (BigCommerce checkout)
Configuration
Admin: Settings → Headers Security
Presets: Use "Medium" or "High" security preset, then customize
Testing: Use Report-Only mode before enforcement
Content-Security-Policy-Report-Only: [policy]
Report Endpoint: /wp-json/headers-security/v1/csp-report
Performance Plugins
WP Smush Pro v3.18.0
Plugin: WP Smush Pro
Location: wp-content/plugins/wp-smushit/
License: WPMU DEV membership
Purpose
Optimize images with lossless/lossy compression, lazy loading, and WebP conversion for faster page loads.
Features
- Bulk Optimization - Compress all existing images
- Automatic Optimization - Compress on upload
- Lossless/Lossy Compression - Choose quality level
- WebP Conversion - Modern image format
- Lazy Loading - Defer offscreen images
- Resize Large Images - Set max dimensions
- CDN Integration - Serve images from CDN
- Directory Smush - Optimize non-media images
- Background Optimization - Process in batches
Configuration
Admin: Smush → Settings
Compression Settings:
- Compression Type: Super-smush (lossy, max compression)
- Preserve EXIF: No
- Preserve original: No
- Auto-smush: On upload (enabled)
Image Sizes:
- Resize large images: Max 2560px width/height
- Strip original: No (keep full size)
WebP Conversion:
- Enable WebP: Yes
- Delivery Method: Local (htaccess rewrite)
- Browser Support Check: Automatic
Lazy Loading:
- Enable lazy load: Yes
- Lazy load images: Yes
- Lazy load iframes: Yes (YouTube embeds, etc.)
- Exclude: Above-the-fold hero images (configured via class)
- Fade-in effect: Yes
- Placeholder: Low-quality image placeholder (LQIP)
CDN:
- Enable CDN: Yes (if using CDN)
- CDN URL:
https://cdn.stealthcam.com
WebP Implementation
htaccess Rules (auto-generated by Smush):
<IfModule mod_rewrite.c>
RewriteEngine On
# Check if browser supports WebP
RewriteCond %{HTTP_ACCEPT} image/webp
# Check if WebP file exists
RewriteCond %{DOCUMENT_ROOT}/$1.webp -f
# Serve WebP instead of JPG/PNG
RewriteRule ^(wp-content/uploads/.+)\.(jpe?g|png)$ $1.webp [T=image/webp,E=accept:1,L]
</IfModule>
<IfModule mod_headers.c>
# Add Vary header for WebP
<FilesMatch "\.(jpe?g|png)$">
Header append Vary Accept
</FilesMatch>
</IfModule>
<IfModule mod_mime.c>
# Serve correct MIME type for WebP
AddType image/webp .webp
</IfModule>
Fallback: Browsers without WebP support receive original JPEG/PNG
Bulk Optimization
Process:
- Navigate to Smush → Bulk Smush
- Click "Bulk Smush"
- Plugin processes images in batches (50 at a time)
- View progress and results
Statistics (example):
- Images optimized: 3,542
- Total savings: 1.2 GB (45% reduction)
- WebP images created: 3,542
Directory Smush
Optimize images outside Media Library (theme images, plugin assets, etc.)
Directories:
/wp-content/themes/suma-elementor/assets/images//wp-content/plugins/*/assets/images/
Performance Impact
Before Optimization:
- Average image size: 850 KB
- Page weight: 4.5 MB
- LCP: 3.2s
After Optimization:
- Average image size: 350 KB (59% reduction)
- Page weight: 1.8 MB (60% reduction)
- LCP: 1.8s (44% improvement)
WP Rocket (Assumed)
Plugin: WP Rocket
Location: wp-content/plugins/wp-rocket/
License: Commercial
Purpose
Page caching, file optimization, and performance enhancements for faster page loads.
Features
- Page Caching - Static HTML file generation
- Cache Preloading - Automatic cache warming
- GZIP Compression - Compress files for transfer
- Browser Caching - Leverage browser cache
- Minification - Minify HTML, CSS, JS
- Concatenation - Combine files
- Defer/Async JS - Non-blocking JavaScript
- Remove Unused CSS - Eliminate unused stylesheets
- Lazy Load Images - Defer offscreen images (if not using Smush)
- Database Optimization - Clean up database
- CDN Integration - Serve static files from CDN
Configuration
Admin: Settings → WP Rocket
Cache Settings:
- Enable caching: Yes
- Cache lifespan: 10 hours
- Separate cache for mobile: Yes (responsive design)
- Separate cache for logged-in users: No
- Cache query strings: No
File Optimization:
- Minify HTML: Yes
- Minify CSS: Yes
- Combine CSS files: Yes
- Optimize CSS delivery: Yes (inline critical CSS)
- Minify JavaScript: Yes
- Combine JavaScript: Yes (with exceptions for jQuery)
- Load JS deferred: Yes (with safe mode)
- Delay JS execution: Yes (for specific scripts)
Media:
- LazyLoad: Disabled (using WP Smush Pro instead)
- Disable WordPress embeds: Yes
- Disable emoji: Yes
Preload:
- Preload cache: Yes
- Preload bot: Yes (automatic sitemap crawling)
- DNS Prefetch: Enabled for external domains
//www.googletagmanager.com//static.klaviyo.com//connect.facebook.net//cdn.bigcommerce.com
Advanced Rules:
- Never cache URLs:
/cart/*,/checkout/*,/my-account/* - Never cache cookies:
wordpress_logged_in_*,woocommerce_* - Never cache user agents: Specific bot user agents
- Always purge URLs:
/products/(when product updated)
Database Optimization:
- Clean up revisions: Yes (keep last 5)
- Clean up auto-drafts: Yes
- Clean up transients: Yes
- Optimize tables: Yes (weekly)
Critical CSS
Automatic Generation: WP Rocket generates critical CSS for above-the-fold content
Manual Tuning: Adjustments for Elementor-specific critical CSS
Cache Warming
Preload: WP Rocket automatically crawls sitemap to generate cache
Sitemap: /sitemap_index.xml (Yoast SEO)
Schedule: Cache regenerated every 10 hours or when content updated
Cache Exclusions
URLs:
- BigCommerce cart/checkout pages (dynamic content)
- User account pages
- Admin pages
Query Strings:
?add-to-cart=*?utm_*(tracked in cache)
Cookies:
- WordPress login cookies
- BigCommerce cart cookies
CDN Configuration
CDN Provider: Cloudflare (example)
CNAME: cdn.stealthcam.com → Cloudflare
WP Rocket CDN Settings:
- CDN URL:
https://cdn.stealthcam.com - Included directories:
/wp-content/,/wp-includes/ - Excluded files:
.php
Additional Security Measures
WordPress Core
Auto-Updates: Enabled for minor versions
File Permissions:
- Directories:
755 - Files:
644 wp-config.php:440or400(read-only)
wp-config.php Security:
// Disable file editing
define('DISALLOW_FILE_EDIT', true);
// Limit post revisions
define('WP_POST_REVISIONS', 5);
// Force SSL admin
define('FORCE_SSL_ADMIN', true);
// Custom auth keys (rotated regularly)
define('AUTH_KEY', '...');
define('SECURE_AUTH_KEY', '...');
// etc.
Database Security
Prefix: Custom table prefix (not wp_)
User Privileges: Database user has only necessary privileges (SELECT, INSERT, UPDATE, DELETE)
Backups: Daily automated backups with offsite storage
File Integrity Monitoring
WP Activity Log: Monitors core, plugin, theme file changes
Alerts: Email notification on file modifications
Server Security
Web Application Firewall (WAF): Cloudflare or server-level WAF
DDoS Protection: Cloudflare rate limiting
SSL Certificate: Let's Encrypt with auto-renewal
Server Hardening:
- Disable directory listing
- Disable XML-RPC (if not needed)
- Limit PHP execution to specific directories
- Restrict access to
wp-config.php,.htaccess,wp-admin/install.php
Performance Monitoring
Core Web Vitals
Target Metrics:
- LCP (Largest Contentful Paint): < 2.5s
- FID (First Input Delay): < 100ms
- CLS (Cumulative Layout Shift): < 0.1
Current Performance (homepage):
- LCP: 1.8s ✅
- FID: 50ms ✅
- CLS: 0.05 ✅
PageSpeed Insights
Desktop Score: 95/100
Mobile Score: 85/100
Opportunities:
- Further JS minification
- Reduce third-party script impact (GTM, Klaviyo)
GTmetrix
Performance Grade: A (94%)
Structure Grade: A (96%)
Key Metrics:
- Fully Loaded Time: 2.1s
- Total Page Size: 1.8 MB
- Requests: 45
Uptime Monitoring
Service: UptimeRobot (or similar)
Checks: HTTP(S) check every 5 minutes
Alerts: Email/SMS on downtime
Security Checklist
Daily:
- Review failed login attempts (WP Activity Log)
Weekly:
- Check security event log for anomalies
- Verify backup completion
- Review site uptime reports
Monthly:
- Update WordPress core, plugins, themes
- Rotate admin passwords
- Review user accounts and permissions
- Check SSL certificate expiration
- Database optimization (via WP Rocket)
Quarterly:
- Security audit (penetration testing)
- Review and update security policies
- Test disaster recovery procedures
- Rotate API keys and secrets
Performance Optimization Checklist
Initial Setup:
- Install and configure WP Smush Pro
- Install and configure WP Rocket
- Enable object caching (Redis)
- Configure CDN
- Implement security headers
Ongoing:
- Monitor Core Web Vitals (monthly)
- Run PageSpeed Insights audits (monthly)
- Review slow query log (monthly)
- Optimize database (weekly via WP Rocket)
- Clear unused plugins/themes (quarterly)