{"id":223522,"date":"2025-03-28T09:03:02","date_gmt":"2025-03-28T09:03:02","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/wordsentinel\/"},"modified":"2025-12-05T13:03:03","modified_gmt":"2025-12-05T13:03:03","slug":"wordsentinel","status":"closed","type":"plugin","link":"https:\/\/en-gb.wordpress.org\/plugins\/wordsentinel\/","author":23393581,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.2.5","stable_tag":"1.2.5","tested":"6.9.4","requires":"5.8","requires_php":"7.0","requires_plugins":null,"header_name":"WordSentinel","header_author":"Nexsol Technologies Team","header_description":"Secure WordPress by configuring essential security headers and analyzing the website's grades via external services.","assets_banners_color":"ffffff","last_updated":"2025-12-05 13:03:03","external_support_url":"","external_repository_url":"","donate_link":"https:\/\/buymeacoffee.com\/nexsol.team","header_plugin_uri":"https:\/\/store.nexsol-tech.ch\/","header_author_uri":"https:\/\/nexsol-tech.ch\/","rating":0,"author_block_rating":0,"active_installs":0,"downloads":1139,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.1":{"tag":"1.0.1","author":"victorlago","date":"2025-07-04 16:48:42"},"1.0.2":{"tag":"1.0.2","author":"victorlago","date":"2025-07-04 17:00:40"},"1.2.0":{"tag":"1.2.0","author":"victorlago","date":"2025-10-20 15:24:38"},"1.2.1":{"tag":"1.2.1","author":"victorlago","date":"2025-10-24 09:17:03"},"1.2.2":{"tag":"1.2.2","author":"victorlago","date":"2025-10-31 08:06:15"},"1.2.3":{"tag":"1.2.3","author":"victorlago","date":"2025-10-31 15:48:31"},"1.2.4":{"tag":"1.2.4","author":"victorlago","date":"2025-11-23 14:20:12"},"1.2.5":{"tag":"1.2.5","author":"victorlago","date":"2025-12-05 13:03:03"}},"upgrade_notice":{"":"

No upgrade notices available yet.<\/p>"},"ratings":[],"assets_icons":{"icon.svg":{"filename":"icon.svg","revision":3263313,"resolution":false,"location":"assets","locale":false}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3263396,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3263396,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.1","1.0.2","1.2.0","1.2.1","1.2.2","1.2.3","1.2.4","1.2.5"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3383869,"resolution":"1","location":"assets","locale":""},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3383869,"resolution":"2","location":"assets","locale":""},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3383869,"resolution":"3","location":"assets","locale":""},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3383869,"resolution":"4","location":"assets","locale":""},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3383869,"resolution":"5","location":"assets","locale":""}},"screenshots":{"1":"The dashboard gives you an overview of your site's current ratings, scan history and benchmark comparison.","2":"The dashboard gives you an overview of your site's current ratings, scan history and benchmark comparison.","3":"The dashboard gives you an overview of your site's current ratings, scan history and benchmark comparison.","4":"WordSentinel lets you configure which header is active.","5":"Advanced CSP configuration panel, in this tab you can whitelist the external resources and assure a fully functional website without lowering the level of protection."},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[7642,19966,2846,153786,1536],"plugin_category":[54],"plugin_contributors":[249468,249467,249658,249466],"plugin_business_model":[],"class_list":["post-223522","plugin","type-plugin","status-closed","hentry","plugin_tags-clickjacking","plugin_tags-csp","plugin_tags-headers","plugin_tags-security-headers","plugin_tags-ssl","plugin_category-security-and-spam-protection","plugin_contributors-guerricm","plugin_contributors-maxouhell","plugin_contributors-nexsol","plugin_contributors-victorlago","plugin_committers-guerricm","plugin_committers-maxouhell","plugin_committers-nexsol","plugin_committers-victorlago"],"banners":[],"icons":{"svg":"https:\/\/ps.w.org\/wordsentinel\/assets\/icon.svg?rev=3263313","icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/wordsentinel_ffffff.svg","icon_2x":false,"generated":true},"screenshots":[{"src":"https:\/\/ps.w.org\/wordsentinel\/assets\/screenshot-1.png?rev=3383869","caption":"The dashboard gives you an overview of your site's current ratings, scan history and benchmark comparison."},{"src":"https:\/\/ps.w.org\/wordsentinel\/assets\/screenshot-2.png?rev=3383869","caption":"The dashboard gives you an overview of your site's current ratings, scan history and benchmark comparison."},{"src":"https:\/\/ps.w.org\/wordsentinel\/assets\/screenshot-3.png?rev=3383869","caption":"The dashboard gives you an overview of your site's current ratings, scan history and benchmark comparison."},{"src":"https:\/\/ps.w.org\/wordsentinel\/assets\/screenshot-4.png?rev=3383869","caption":"WordSentinel lets you configure which header is active."},{"src":"https:\/\/ps.w.org\/wordsentinel\/assets\/screenshot-5.png?rev=3383869","caption":"Advanced CSP configuration panel, in this tab you can whitelist the external resources and assure a fully functional website without lowering the level of protection."}],"raw_content":"\n

The WordSentinel<\/strong> plugin by Nexsol Technologies S\u00e0rl<\/strong> enhances your WordPress website\u2019s security by automatically applying and managing HTTP security headers<\/strong> \u2014 including Content Security Policy (CSP)<\/strong> \u2014 while providing live security analysis powered by Mozilla Observatory<\/strong>.<\/p>\n\n

Unlike simple header managers, WordSentinel actively helps you understand, measure, and improve your site\u2019s protection.
\nIt provides clear dashboards, actionable insights, and real-time grading so you can reinforce your headers with confidence \u2014 no deep technical knowledge required.<\/p>\n\n

What WordSentinel Does<\/h4>\n\n

WordSentinel helps protect your WordPress website against common web vulnerabilities such as:\n- Cross-Site Scripting (XSS<\/strong>)
\n- Clickjacking attacks
\n- Content injection and mixed content issues
\n- Insecure resource loading (scripts, iframes, styles)<\/p>\n\n

It does so by implementing a complete and configurable set of browser-level security headers<\/strong>, giving you granular control over each directive.<\/p>\n\n

In addition, it connects securely to Mozilla Observatory<\/strong> to scan your site and assign a security grade<\/strong> (A+ to F), helping you benchmark your configuration and understand what needs improvement.<\/p>\n\n

Key Features<\/h4>\n\n
    \n

  • Comprehensive HTTP Header Management<\/strong>
    \nEasily configure headers such as:<\/p>\n\n

      \n
    • Content Security Policy (CSP) <\/li>\n
    • Strict-Transport-Security (HSTS) <\/li>\n
    • X-Frame-Options <\/li>\n
    • Referrer-Policy <\/li>\n
    • X-Content-Type-Options <\/li>\n
    • Permissions-Policy <\/li>\n<\/ul><\/li>\n

    • Real-Time Security Analysis<\/strong>
      \nInstantly scan your site via Mozilla Observatory and get a visual security grade.
      \nThe plugin automatically handles rate limits with built-in cooldown protection.<\/p><\/li>\n

    • Advanced CSP Management<\/strong>
      \nCreate, test, and refine your CSP rules dynamically.
      \nWordSentinel now supports automatic hash generation for inline scripts and styles<\/strong>, improving both flexibility and security.<\/p><\/li>\n

    • Smart License and Subscription System<\/strong>
      \nThe free version covers essential headers and analysis.
      \nPremium users unlock advanced CSP tools, automatic reports, and custom integrations.
      \nLicenses are securely validated through Nexsol\u2019s API and cached locally for 24 hours.<\/p><\/li>\n

    • Optimized for Local and Production Environments<\/strong>
      \nAutomatically detects if you are running on localhost and disables API calls for safe testing.<\/p><\/li>\n

    • Performance and Privacy First<\/strong>
      \nWordSentinel is lightweight, privacy-respecting, and runs entirely within WordPress.
      \nNo telemetry, analytics, or tracking are ever collected.<\/p><\/li>\n

    • Multilingual and Accessible Interface<\/strong>
      \nTranslated into six languages with an adaptive design inspired by Mozilla\u2019s clean security aesthetic.<\/p><\/li>\n<\/ul>\n\n

      Why Choose WordSentinel?<\/h4>\n\n
        \n
      • Easy setup \u2014 no coding skills required <\/li>\n
      • Combines security headers and observatory analysis in one plugin <\/li>\n
      • Works seamlessly with most WordPress security and caching plugins <\/li>\n
      • Developed and maintained by Nexsol Technologies, a Swiss-based IT company <\/li>\n
      • Transparent, privacy-respecting, and GPL-licensed<\/li>\n<\/ul>\n\n

        WordSentinel merges modern web security standards with a simple and intuitive configuration experience \u2014 making it a must-have for both developers and site owners who care about protection and compliance.<\/p>\n\n

        External Services and API Usage<\/h3>\n\n

        WordSentinel securely connects to a small number of external APIs to perform license validation and site analysis:<\/p>\n\n

          \n

        • Mozilla Observatory API<\/strong> \u2013 Used to analyze your website\u2019s HTTP headers and generate a public security grade.
          \nData sent: only your site\u2019s public URL.
          \nService: https:\/\/observatory.mozilla.org\/api\/<\/p><\/li>\n

        • Nexsol License Validation API<\/strong> \u2013 Used to verify premium licenses and maintain secure feature access.
          \nData sent: license key only.
          \nService: https:\/\/api.nexsol-tech.ch\/wordsentinel\/licenses<\/p><\/li>\n

        • Nexsol Public Key API<\/strong> \u2013 Used to securely retrieve the public keys required for validating license signatures.
          \nData sent: none.
          \nService: https:\/\/api.nexsol-tech.ch\/wordsentinel\/certs<\/p><\/li>\n<\/ul>\n\n

          All requests are transmitted securely via HTTPS.
          \nWordSentinel never sends personal information, usage analytics, or tracking data of any kind.<\/p>\n\n

          Languages Supported<\/h3>\n\n
            \n
          • English (default)<\/li>\n
          • Fran\u00e7ais (fr_FR)<\/li>\n
          • Deutsch (de_DE)<\/li>\n
          • Italiano (it_IT)<\/li>\n
          • Espa\u00f1ol (es_ES)<\/li>\n
          • Portugu\u00eas Brasileiro (pt_BR)<\/li>\n<\/ul>\n\n

            License<\/h3>\n\n

            This plugin is licensed under the GPLv2 or later.
            \nSee the GPLv2 License for details: https:\/\/www.gnu.org\/licenses\/gpl-2.0.html<\/p>\n\n

            Support<\/h3>\n\n

            For documentation, updates, and premium features, visit https:\/\/nexsol-tech.ch\/wordsentinel<\/p>\n\n\n

              \n

            1. Install WordSentinel<\/strong><\/p>\n\n

                \n
              • Upload the plugin files to \/wp-content\/plugins\/wordsentinel\/<\/code>, or install it directly from the WordPress Plugin Directory. <\/li>\n
              • Activate the plugin through the Plugins<\/strong> screen in WordPress.<\/li>\n<\/ul><\/li>\n

              • Run Your First Security Scan<\/strong><\/p>\n\n

                  \n
                • Navigate to WordSentinel \u2192 Dashboard<\/strong> in your admin sidebar. <\/li>\n
                • The first scan should run automatically, but if not you can click \u201cLaunch Scan\u201d to analyze your site with Mozilla Observatory<\/strong>. <\/li>\n
                • View your grade and detailed results instantly.<\/li>\n<\/ul><\/li>\n

                • Configure Your Security Headers<\/strong><\/p>\n\n

                    \n
                  • Go to the Headers<\/strong> tab, you will see that all options are enabled by default, you can toggle on and off HTTP headers such as CSP, HSTS, and Referrer-Policy. <\/li>\n
                  • Save changes if you made any and verify results with another scan by clicking on \u201cLaunch Scan\u201d at the top of the dashboard.<\/li>\n<\/ul><\/li>\n

                  • Review Your Site<\/strong><\/p>\n\n

                      \n
                    • Test your website normally to ensure compatibility with your active theme and plugins. <\/li>\n
                    • WordSentinel automatically excludes the Divi Builder admin pages from CSP enforcement for a smooth experience.<\/li>\n<\/ul><\/li>\n

                    • (Optional) Activate Premium Features<\/strong><\/p>\n\n

                        \n
                      • Enter your license key under WordSentinel \u2192 License<\/strong> to unlock the Advanced CSP<\/strong> tab. <\/li>\n
                      • Premium users gain access to granular Content Security Policy management, automatic hashing, and advanced resource control.<\/li>\n<\/ul>\n\n

                        Once activated, open the Advanced CSP<\/strong> tab to fine-tune how your website handles external resources and inline code.
                        \nEach field corresponds to a specific type of resource that browsers enforce under the CSP standard:<\/p><\/li>\n<\/ol>\n\n

                          \n

                        • Script Sources (script-src<\/code>)<\/strong> \u2013 Defines the trusted locations for JavaScript files.
                          \n Add domains such as https:\/\/cdnjs.cloudflare.com<\/code> or https:\/\/www.googletagmanager.com<\/code> if your site uses external scripts.
                          \n WordSentinel automatically hashes inline scripts when hashing is enabled.<\/p><\/li>\n

                        • Style Sources (style-src<\/code>)<\/strong> \u2013 Controls which URLs can load CSS.
                          \n Include domains like https:\/\/fonts.googleapis.com<\/code> for Google Fonts, or your CDN if styles are served externally.
                          \n WordSentinel can also hash inline styles for maximum compatibility and security.<\/p><\/li>\n

                        • Image Sources (img-src<\/code>)<\/strong> \u2013 Specifies where images are allowed to load from.
                          \n For example, you might whitelist https:\/\/cdn.yourhost.com<\/code> or data:<\/code> if your theme uses base64-encoded images.<\/p><\/li>\n

                        • Font Sources (font-src<\/code>)<\/strong> \u2013 Used for font files such as .woff<\/code> or .woff2<\/code>.
                          \n Common examples include https:\/\/fonts.gstatic.com<\/code> or your CDN\u2019s domain.<\/p><\/li>\n

                        • Frame Sources (frame-src<\/code>)<\/strong> \u2013 Controls which external pages can be embedded in <iframe><\/code> elements.
                          \n For example, to allow YouTube or Vimeo embeds, add https:\/\/www.youtube.com<\/code> and https:\/\/player.vimeo.com<\/code>.<\/p><\/li>\n

                        • Connect Sources (connect-src<\/code>)<\/strong> \u2013 Defines which endpoints can be called using APIs like fetch()<\/code> or WebSockets.
                          \n This is critical for AJAX-heavy websites or third-party integrations.<\/p><\/li>\n

                        • Media Sources (media-src<\/code>)<\/strong> \u2013 Whitelist locations for video or audio files.
                          \n If your website uses external streaming or hosted media, list their domains here.<\/p><\/li>\n

                        • Default Sources (default-src<\/code>)<\/strong> \u2013 Acts as a fallback policy for any type of resource not covered above.
                          \n When in doubt, set this to 'self'<\/code> to restrict everything to your domain unless explicitly whitelisted elsewhere.<\/p><\/li>\n<\/ul>\n\n\n\n

                          \ud83d\udca1 When a Resource is Blocked<\/strong><\/p>\n\n

                          If your browser\u2019s console shows an error such as:<\/p>\n\n

                          Refused to load the script from 'https:\/\/example.com'\nbecause it violates the Content Security Policy directive: \"script-src 'self'\"\n<\/code><\/pre>\n\n
                          That means WordSentinel is actively protecting your website<\/strong> \u2014 the CSP is doing its job.
                          \n  To resolve the issue, simply copy the indicated domain (https:\/\/example.com<\/code>) and add it to the corresponding source list (e.g. \u201cScript Sources\u201d) in the Advanced CSP<\/strong> tab.
                          \n  Save your changes, refresh your site, and the resource will load securely while keeping full CSP protection active.<\/p>\n\n\n\n
                          WordSentinel\u2019s premium CSP module is designed to make advanced header configuration safe and understandable, even for non-developers \u2014 giving you both control and peace of mind.<\/p>\n\n\n
                          \n
                          1. What are HTTP security headers?<\/h3><\/dt>\n
                          HTTP security headers tell browsers how to handle your site\u2019s resources safely, helping to prevent data leaks and malicious injections.<\/p><\/dd>\n
                          2. Do I need coding skills to use WordSentinel?<\/h3><\/dt>\n
                          No. Everything is managed through an intuitive interface with clear explanations and automatic validation.<\/p><\/dd>\n
                          3. Why does the \u201cScan\u201d button have a cooldown?<\/h3><\/dt>\n
                          To comply with Mozilla Observatory\u2019s API limits and prevent overloading the service, scans are limited to one per site every few minutes.<\/p><\/dd>\n
                          4. Will WordSentinel conflict with my caching or firewall plugins?<\/h3><\/dt>\n
                          No. WordSentinel adds headers at the HTTP level and is compatible with most caching, CDN, and security tools including Wordfence and Cloudflare.<\/p><\/dd>\n\n<\/dl>\n\n\n
                          1.2.4 \u2013 Novermber 11, 2025<\/h4>\n\n
                            \n
                          • Improvement: Enhanced default CSP header in the free version to provide stronger baseline security for all users.<\/li>\n<\/ul>\n\n
                            1.2.3 \u2013 October 31, 2025<\/h4>\n\n
                              \n
                            • Feature: Added Domain Resource Scan \u2014 automatically detects external resources (scripts, styles, images, etc.) used on the site and adds them to the advanced CSP configuration.<\/li>\n
                            • Feature: Added Launch resource scan button with integrated spinner and live status feedback.<\/li>\n
                            • Improvement: Enhanced Advanced CSP tab with explanatory text and visual separation between user-defined and automatically detected sources.<\/li>\n
                            • Improvement: Unified logic for license validation and domain scanning to reduce duplicate code.<\/li>\n
                            • Improvement: Added full multilingual support (EN, FR, DE, ES, IT, PT-BR) for new scan-related messages.<\/li>\n
                            • Fix: Corrected handling of CSP detected directives to ensure consistent key naming and reliable display in the admin UI.<\/li>\n<\/ul>\n\n
                              1.2.2 \u2013 October 31, 2025<\/h4>\n\n
                                \n
                              • Maintenance release: minor stability improvements and compatibility updates.<\/li>\n
                              • Fix: Minor bug fixes.<\/li>\n
                              • Improvement: Optimized async loading sequence for admin panels.<\/li>\n
                              • Improvement: Updated translation strings and ensured full synchronization across all languages.<\/li>\n<\/ul>\n\n
                                1.2.1 \u2013 October 24, 2025<\/h4>\n\n
                                  \n
                                • Feature: Added plugin screenshots for the WordPress.org listing.<\/li>\n
                                • Improvement: Added screenshot descriptions for better presentation on plugin page.<\/li>\n
                                • Fix: Minor alignment adjustments in admin panels.<\/li>\n<\/ul>\n\n
                                  1.2.0 \u2013 October 24, 2025<\/h4>\n\n
                                    \n
                                  • Feature: Added hashing support for inline style tags in CSP.<\/li>\n
                                  • Improvement: Enhanced admin UI with asynchronous panel loading and smooth animations.<\/li>\n
                                  • Improvement: Centralized all license management logic in a single class.<\/li>\n
                                  • Improvement: Implemented 24-hour caching for license validation to reduce API requests.<\/li>\n
                                  • Improvement: Refined license validation messages and overall flow.<\/li>\n
                                  • Improvement: Excluded Divi Builder admin pages from CSP enforcement for compatibility.<\/li>\n
                                  • Improvement: Adopted Mozilla Observatory color palette for grade visuals.<\/li>\n
                                  • Improvement: Optimized execution order and structure of admin-script.js.<\/li>\n
                                  • Improvement: Completed translations in six languages (EN, FR, DE, ES, IT, PT-BR).<\/li>\n
                                  • Fix: Minor visual inconsistencies in the grade display panels.<\/li>\n<\/ul>\n\n
                                    1.1.0 \u2013 June 6, 2025<\/h4>\n\n
                                      \n
                                    • Feature: Introduced premium features and subscription-based licensing system.<\/li>\n
                                    • Feature: Added advanced CSP management tools for premium users.<\/li>\n
                                    • Improvement: Enhanced security scanning with automated reporting.<\/li>\n
                                    • Improvement: Integrated secure license key validation and JWT handling.<\/li>\n
                                    • Improvement: Updated admin interface with clearer notices and refined UX.<\/li>\n
                                    • Improvement: Localized all plugin assets to remove CDN dependencies.<\/li>\n
                                    • Fix: Improved sanitization, nonce verification, and escaping across admin forms.<\/li>\n
                                    • Fix: Minor styling and layout inconsistencies.<\/li>\n<\/ul>\n\n
                                      1.0.2 \u2013 March 1, 2025<\/h4>\n\n
                                        \n
                                      • Improvement: Confirmed compatibility with WordPress 6.8.<\/li>\n<\/ul>\n\n
                                        1.0 \u2013 February 2025<\/h4>\n\n
                                          \n
                                        • Feature: Initial release with Mozilla Observatory integration.<\/li>\n
                                        • Feature: Added dashboard view and retry functionality with cooldown protection.<\/li>\n<\/ul>","raw_excerpt":"Secure your WordPress website with advanced HTTP headers, intelligent CSP management, and integrated Mozilla Observatory security analysis.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/en-gb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/223522","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/en-gb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/en-gb.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/en-gb.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=223522"}],"author":[{"embeddable":true,"href":"https:\/\/en-gb.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/nexsol"}],"wp:attachment":[{"href":"https:\/\/en-gb.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=223522"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/en-gb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=223522"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/en-gb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=223522"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/en-gb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=223522"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/en-gb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=223522"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/en-gb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=223522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}