Apex Security Documentation

Apex Security provides comprehensive WordPress protection through multiple defense layers: a real-time Web Application Firewall (WAF), login hardening with passkeys and 2FA, malware and file integrity scanning, virtual patching of known CVEs, and cloud-backed threat intelligence.

The WAF inspects every incoming HTTP request in under 2ms, applying signature-based and behavioral rules before the request reaches WordPress core. Virtual patches are deployed automatically via cloud threat intelligence when new vulnerabilities are disclosed.

Component	Minimum	Recommended
WordPress	5.6+	6.4+
PHP	7.4+	8.2+
OpenSSL	Required	3.0+
HTTPS	Recommended	Required for passkeys

1. Purchase a license at apexstack.cloud/pricing
2. Download the plugin ZIP from your account dashboard
3. In WordPress, go to Plugins → Add New → Upload Plugin
4. Upload the ZIP and click Install Now, then Activate

wp plugin install /path/to/apex-security.zip --activate

Navigate to Security → Settings → License and enter your license key.

wp apex-security license activate YOUR-LICENSE-KEY
wp apex-security license status

After activation, the WAF begins protecting your site immediately with the default rule set. Threat intelligence updates are fetched automatically.

The Web Application Firewall intercepts every HTTP request before it reaches WordPress. The inspection pipeline:

1. IP Reputation Check — compare source IP against cloud threat database
2. Rate Limiting — enforce per-IP request limits
3. Signature Matching — check request parameters against known attack patterns (SQLi, XSS, RFI, etc.)
4. Behavioral Analysis — detect anomalous request patterns
5. Decision — allow, block, or challenge the request

Average processing time is under 2ms per request, ensuring zero perceptible impact on legitimate visitors.

// WAF operation mode
define('APEX_WAF_MODE', 'protect');     // 'protect', 'detect', 'disabled'

// Log blocked requests (default: true)
define('APEX_WAF_LOG_BLOCKED', true);

// IP whitelist (never blocked by WAF)
define('APEX_WAF_WHITELIST_IPS', [
    '203.0.113.1',      // Office IP
    '198.51.100.0/24',  // VPN range
]);

// Rate limiting
define('APEX_WAF_RATE_LIMIT', 60);   // max requests per window
define('APEX_WAF_RATE_WINDOW', 60);  // window in seconds

Mode	Behavior
protect	Block malicious requests (default, recommended)
detect	Log threats but don't block — useful for testing rules
disabled	WAF completely off (not recommended)

When a CVE is disclosed for a WordPress plugin or theme, Apex Security's cloud threat intelligence team creates a WAF rule that blocks the specific exploit pattern. This rule is deployed to all installations automatically — typically within hours.

How It Works

1. A vulnerability is publicly disclosed (e.g., CVE-2024-XXXX in Plugin Y)
2. Our security team analyzes the exploit vector and creates a targeted WAF rule
3. The rule is pushed to all Apex Security installations via the threat feed
4. Exploit attempts are blocked at the WAF level before reaching the vulnerable code
5. You update the affected plugin at your convenience

Apex Security maintains a cloud-backed IP reputation database that scores IPs based on observed malicious behavior across the network. Scores range from 0 (clean) to 100 (confirmed malicious).

// Block IPs with reputation score above threshold (default: 80)
define('APEX_WAF_IP_THRESHOLD', 80);

// Enable/disable IP reputation checks
define('APEX_WAF_IP_REPUTATION', true);

# Check an IP's reputation score
wp apex-security ip-check 185.234.218.100

# View recently blocked IPs
wp apex-security blocked --period=24h --format=table

Apex Security supports Time-based One-Time Passwords (TOTP) for two-factor authentication. Compatible with Google Authenticator, Authy, 1Password, and any RFC 6238 compliant app.

Configuration

// Require 2FA for specific roles
define('APEX_2FA_REQUIRED_ROLES', ['administrator', 'editor']);

// Grace period for enrollment (days, 0 = immediate)
define('APEX_2FA_GRACE_PERIOD', 7);

// Number of backup codes generated
define('APEX_2FA_BACKUP_CODES', 10);

Enrollment

When 2FA is required for a user's role, they are prompted to enroll on their next login. The enrollment flow shows a QR code and provides backup recovery codes.

# Manage 2FA via WP-CLI
wp apex-security 2fa enable --role=administrator
wp apex-security 2fa disable --role=editor
wp apex-security 2fa reset --user=admin

Apex Security implements the WebAuthn standard for passwordless authentication using biometrics (Face ID, Touch ID, Windows Hello) or hardware security keys (YubiKey).

// Enable passkeys (default: true)
define('APEX_PASSKEYS_ENABLED', true);

// Require passkeys for specific roles (optional)
define('APEX_PASSKEYS_REQUIRED_ROLES', ['administrator']);

Browser Support

Browser	Passkeys	Security Keys
Chrome 108+	✓	✓
Safari 16.1+	✓	✓
Firefox 122+	✓	✓
Edge 108+	✓	✓

Brute-force login protection with configurable lockout thresholds and progressive delays.

// Maximum login attempts before lockout
define('APEX_LOGIN_MAX_ATTEMPTS', 5);

// Lockout duration in minutes
define('APEX_LOGIN_LOCKOUT_DURATION', 30);

// Enable progressive delays (each failed attempt adds delay)
define('APEX_LOGIN_PROGRESSIVE_DELAY', true);

// Log all login attempts
define('APEX_LOGIN_LOG_ALL', true);

# View login attempt log
wp apex-security login-log --period=24h

# Unlock a locked-out IP
wp apex-security whitelist add 203.0.113.50

The malware scanner checks your WordPress installation for known malicious code patterns, backdoors, and suspicious files.

Scan Types

Type	What It Checks	Duration
Quick	Core files, active plugins/theme	~30 seconds
Full	All files in wp-content + core	2-5 minutes
Malware	Known malware signatures only	~1 minute

# Run a full scan
wp apex-security scan --type=full

# Quick scan with JSON output
wp apex-security scan --type=quick --format=json

Apex Security verifies WordPress core files against the official checksums from WordPress.org. Any modified, added, or deleted core files are flagged for review.

The integrity check runs automatically after plugin updates and can be scheduled on a daily or weekly basis via Security → Settings → Scanning.

# Check core file integrity
wp apex-security scan --type=integrity

# Expected output
✓ wp-admin/     — 284 files verified
✓ wp-includes/  — 1,847 files verified
✗ wp-config.php — modified (expected, user config)
✓ Core checksum — WordPress 6.4.2 match

Apex Security continuously checks your installed plugins and themes against the WPScan Vulnerability Database and our own threat intelligence feed.

When a vulnerability is found in an installed component, you receive:

• A dashboard notification with CVE details and severity
• An email alert (configurable)
• A virtual patch if available

// Enable email alerts for vulnerabilities
define('APEX_VULN_EMAIL_ALERTS', true);
define('APEX_VULN_EMAIL_TO', 'security@example.com');

// Minimum severity for alerts ('low', 'medium', 'high', 'critical')
define('APEX_VULN_MIN_SEVERITY', 'medium');

wp apex-security status

$ wp apex-security status

+-------------------------+------------------+
| Component               | Status           |
+-------------------------+------------------+
| WAF                     | Active (protect) |
| Active Rules            | 1,204            |
| Threats Blocked (24h)   | 847              |
| 2FA                     | Enabled          |
| Passkeys                | Enabled          |
| Last Scan               | 2h ago (clean)   |
| Threat Intel            | Updated 14m ago  |
| License                 | Active           |
+-------------------------+------------------+

wp apex-security waf

# Enable/disable WAF
wp apex-security waf enable
wp apex-security waf disable

# List active rules
wp apex-security waf rules --format=table

# Switch WAF mode
wp apex-security waf mode detect   # log-only
wp apex-security waf mode protect  # active blocking

wp apex-security whitelist

# Add an IP to whitelist
wp apex-security whitelist add 203.0.113.50

# Remove from whitelist
wp apex-security whitelist remove 203.0.113.50

# List all whitelisted IPs
wp apex-security whitelist list

Hook	Fired When	Parameters
apex_security_threat_blocked	A request is blocked by the WAF	$request_data, $rule_id
apex_security_scan_complete	A scan finishes	$scan_type, $results
apex_security_lockout	An IP is locked out	$ip, $attempts
apex_security_2fa_enrolled	A user enrolls in 2FA	$user_id, $method

// Example: Log blocked threats to an external SIEM
add_action('apex_security_threat_blocked', function ($data, $rule_id) {
    $payload = [
        'timestamp' => current_time('c'),
        'ip'        => $data['ip'],
        'rule'      => $rule_id,
        'type'      => $data['threat_type'],
        'uri'       => $data['request_uri'],
    ];
    wp_remote_post(SIEM_ENDPOINT, [
        'body' => json_encode($payload),
        'headers' => ['Content-Type' => 'application/json'],
    ]);
}, 10, 2);

Filter	Description	Parameters
apex_security_waf_rules	Modify the active WAF rule set	$rules
apex_security_whitelist	Modify the IP whitelist	$ips
apex_security_scan_paths	Modify paths included in scans	$paths
apex_security_lockout_duration	Modify lockout duration	$minutes, $ip, $attempts
apex_security_2fa_methods	Modify available 2FA methods	$methods

// Progressive lockout duration
add_filter('apex_security_lockout_duration', function ($minutes, $ip, $attempts) {
    // Double duration after 10 attempts
    if ($attempts > 10) return $minutes * 2;
    // Triple after 20
    if ($attempts > 20) return $minutes * 3;
    return $minutes;
}, 10, 3);

If you are locked out of your WordPress admin due to WAF rules, 2FA, or a configuration error, use one of these recovery methods:

WP-CLI Recovery

# Disable WAF temporarily
wp apex-security waf disable

# Reset 2FA for your user
wp apex-security 2fa reset --user=admin

# Clear all lockouts
wp apex-security whitelist add YOUR_IP

wp-config.php Recovery

If WP-CLI is not available, add this constant to wp-config.php:

// DANGER: Disables ALL Apex Security protections
// Remove immediately after regaining access!
define('APEX_SECURITY_BYPASS', true);