Skip to main content
How Can We Help?
< All Topics
Print

What CMSSPM Does

Posted
Updated
Byadmin

Purpose

CMSSPM is a WordPress security posture management plugin that helps you audit, harden, and monitor your site’s core settings, accounts, browser-facing protections, files, and email/DNS authentication from one local wp‑admin dashboard. It is designed to give you a repeatable way to measure security drift, apply safe remediations, and export evidence for audits or stakeholders.

Where to find it

After activating the plugin, you’ll see a Posture Management menu in wp‑admin.
From there you can open:

  • The Overview Dashboard for a snapshot of your current security posture
  • Dedicated pages for Core SecurityAccount SecurityBrowser SecurityEmail SecurityFile Security, and Settings

Each page controls a specific family of checks and remediations so you can align the docs and UI one‑to‑one.

What CMSSPM covers

CMSSPM focuses on configuration and posture rather than malware removal. It helps you:

  • Audit core WordPress configuration
    Check and enforce HTTPS URLs, registration and default role behavior, comment defaults, and wp‑config flags such as file editor access and file modification controls.
  • Strengthen account security
    Apply password complexity rules, block compromised passwords, require MFA for selected roles, limit login attempts, and manage inactive accounts with last‑login tracking and maintenance policies.
  • Harden browser and transport security
    Enforce HTTPS redirects via a must‑use plugin, apply Content Security Policy presets, and set common security headers (HSTS, X‑Frame‑Options, Referrer‑Policy, Permissions‑Policy, and related controls).
  • Validate email and DNS authentication
    Inspect SPF, DKIM, and DMARC for your domains and subdomains, including selector‑level checks and parent/subdomain policy evaluation, to support secure mail delivery and reporting.
  • Protect file and asset handling
    Block PHP execution in uploads, manage an optional Auto‑SRI helper for external assets, and run file‑integrity oriented checks where supported.
  • Schedule scans and export evidence
    Run on‑demand or scheduled scans, view findings and scan traces, and export CSV or JSON outputs so you can attach results to tickets, audit packages, or internal reports.

The plugin keeps all data local to your WordPress instance; it does not require an external control plane or subscription to operate.

Recommended way to use it

For a new site, a typical first run looks like this:

  1. Install and activate CMSSPM, then open the Overview Dashboard.
  2. Run a full scan to get an initial posture snapshot and baseline findings.
  3. Review quick wins and high‑severity findings, then click through to the relevant section (Core, Account, Browser, Email, File) to understand the control that applies.
  4. Enable enforcement where appropriate, starting with low‑risk controls such as HTTPS redirects, header improvements, and login rate limiting.
  5. Re‑scan to confirm that changes are reflected in the posture view and exports.

On an ongoing basis, you can keep scheduled scans enabled and treat the dashboard as a scorecard for configuration drift and remediation progress.

How to confirm it’s working

You can validate that CMSSPM is doing what you expect by:

  • Checking that the Dashboard scores and findings update after you change settings and re‑run scans.
  • Verifying that enforced controls behave as configured (for example, HTTP requests redirect to HTTPS, weak passwords are rejected, or blocked login attempts are logged).
  • Reviewing scan logs and traces for timestamps, target details, and evidence tied to each finding.
  • Exporting CSV findings or DNS auth JSON and confirming that they contain the same information shown in the UI.

If your changes are not reflected after a scan, or enforcement behavior doesn’t match the settings page, see the Troubleshooting section for specific scenarios.

Notes and scope

CMSSPM is focused on configuration posture rather than malware cleanup or general performance tuning. It assumes:

  • You have administrative access to wp‑admin and can modify settings or wp‑config indirectly through the UI.
  • You can safely test and roll back TLS, header, and login‑related changes in a staging or maintenance window when needed.
  • You may need to coordinate some remediations (such as DNS changes for SPF/DKIM/DMARC) with your DNS or email providers.

Use CMSSPM as a repeatable checklist and scorecard for security posture, and pair it with your existing backup, monitoring, and incident response tooling for a complete operational picture.

Table of Contents