Every Kelma site is protected by default — a Cloudflare web application firewall, always-on DDoS mitigation, isolated containers, and free SSL. The Security tab lets you add extra hardening on top, per site, with simple toggles. Here is what each one does.
Bot protection
- Managed Challenge — present a Cloudflare challenge to all visitors. Use it briefly to stop an active abuse or scraping wave.
- Intelligent Bot Fight — leave this on; it watches for bot surges and automatically enables a challenge only when one is detected, then relaxes again.
XMLRPC protection
xmlrpc.php is a common target for brute-force and amplification attacks. Keep XMLRPC protection on to block it. Only turn it off if a plugin genuinely needs it (older Jetpack features, some remote-publishing apps).
Security headers
Toggle Add security headers to send a modern, recommended set — HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and XSS protection — which harden the browser side of your site and improve security scans. You can also remove the X-Powered-By header to reveal less about your stack.
Minimum TLS version
Set the lowest TLS version your site will accept. TLS 1.2 is the recommended default; choose TLS 1.3 for the strictest, most modern setting if none of your visitors rely on older clients.
Tips & tricks
- Under attack right now? Flip on Managed Challenge to immediately gate all traffic, then turn it off once the wave passes.
- Run a security scanner after enabling headers — your score should jump noticeably.
- Keep XMLRPC blocked unless a specific plugin breaks; it removes a whole class of attacks.
- Pair with backups. Hardening reduces risk, and daily backups with 14 restore points mean you can always roll back if something does slip through.
Leave a Reply