WordSentinel

The WordSentinel plugin by Nexsol Technologies Sàrl enhances your WordPress website’s security by automatically applying and managing HTTP security headers — including Content Security Policy (CSP) — while providing live security analysis powered by Mozilla Observatory. Unlike simple header managers, WordSentinel actively helps you understand, measure, and improve your site’s protection.\ It provides clear dashboards, actionable insights, and real-time grading so you can reinforce your headers with confidence — no deep technical knowledge required. What WordSentinel Does WordSentinel helps protect your WordPress website against common web vulnerabilities such as:

• Cross-Site Scripting (XSS)
• Clickjacking attacks
• Content injection and mixed content issues
• Insecure resource loading (scripts, iframes, styles) It does so by implementing a complete and configurable set of browser-level security headers, giving you granular control over each directive.

In addition, it connects securely to Mozilla Observatory to scan your site and assign a security grade (A+ to F), helping you benchmark your configuration and understand what needs improvement. Key Features

• Comprehensive HTTP Header Management\ Easily configure headers such as:
• Content Security Policy (CSP)
• Strict-Transport-Security (HSTS)
• X-Frame-Options
• Referrer-Policy
• X-Content-Type-Options
• Permissions-Policy
• Real-Time Security Analysis\ Instantly scan your site via Mozilla Observatory and get a visual security grade.\ The plugin automatically handles rate limits with built-in cooldown protection.
• Advanced CSP Management\ Create, test, and refine your CSP rules dynamically.\ WordSentinel now supports automatic hash generation for inline scripts and styles, improving both flexibility and security.
• Smart License and Subscription System\ The free version covers essential headers and analysis.\ Premium users unlock advanced CSP tools, automatic reports, and custom integrations.\ Licenses are securely validated through Nexsol’s API and cached locally for 24 hours.
• Optimized for Local and Production Environments\ Automatically detects if you are running on localhost and disables API calls for safe testing.
• Performance and Privacy First\ WordSentinel is lightweight, privacy-respecting, and runs entirely within WordPress.\ No telemetry, analytics, or tracking are ever collected.
• Multilingual and Accessible Interface\ Translated into six languages with an adaptive design inspired by Mozilla’s clean security aesthetic.

Why Choose WordSentinel?

• Easy setup — no coding skills required
• Combines security headers and observatory analysis in one plugin
• Works seamlessly with most WordPress security and caching plugins
• Developed and maintained by Nexsol Technologies, a Swiss-based IT company
• Transparent, privacy-respecting, and GPL-licensed

WordSentinel merges modern web security standards with a simple and intuitive configuration experience — making it a must-have for both developers and site owners who care about protection and compliance.

1. Install WordSentinel
2. Upload the plugin files to /wp-content/plugins/wordsentinel/, or install it directly from the WordPress Plugin Directory.
3. Activate the plugin through the Plugins screen in WordPress.
4. Run Your First Security Scan
5. Navigate to WordSentinel → Dashboard in your admin sidebar.
6. The first scan should run automatically, but if not you can click “Launch Scan” to analyze your site with Mozilla Observatory.
7. View your grade and detailed results instantly.
8. Configure Your Security Headers
9. Go to the Headers tab, you will see that all options are enabled by default, you can toggle on and off HTTP headers such as CSP, HSTS, and Referrer-Policy.
10. Save changes if you made any and verify results with another scan by clicking on “Launch Scan” at the top of the dashboard.
11. Review Your Site
12. Test your website normally to ensure compatibility with your active theme and plugins.
13. WordSentinel automatically excludes the Divi Builder admin pages from CSP enforcement for a smooth experience.
14. (Optional) Activate Premium Features
15. Enter your license key under WordSentinel → License to unlock the Advanced CSP tab.
16. Premium users gain access to granular Content Security Policy management, automatic hashing, and advanced resource control.

Once activated, open the Advanced CSP tab to fine-tune how your website handles external resources and inline code.\ Each field corresponds to a specific type of resource that browsers enforce under the CSP standard:

• Script Sources (script-src) – Defines the trusted locations for JavaScript files.\ Add domains such as https://cdnjs.cloudflare.com or https://www.googletagmanager.com if your site uses external scripts.\ WordSentinel automatically hashes inline scripts when hashing is enabled.
• Style Sources (style-src) – Controls which URLs can load CSS.\ Include domains like https://fonts.googleapis.com for Google Fonts, or your CDN if styles are served externally.\ WordSentinel can also hash inline styles for maximum compatibility and security.
• Image Sources (img-src) – Specifies where images are allowed to load from.\ For example, you might whitelist https://cdn.yourhost.com or data: if your theme uses base64-encoded images.
• Font Sources (font-src) – Used for font files such as .woff or .woff2.\ Common examples include https://fonts.gstatic.com or your CDN’s domain.
• Frame Sources (frame-src) – Controls which external pages can be embedded in <iframe> elements.\ For example, to allow YouTube or Vimeo embeds, add https://www.youtube.com and https://player.vimeo.com.
• Connect Sources (connect-src) – Defines which endpoints can be called using APIs like fetch() or WebSockets.\ This is critical for AJAX-heavy websites or third-party integrations.
• Media Sources (media-src) – Whitelist locations for video or audio files.\ If your website uses external streaming or hosted media, list their domains here.
• Default Sources (default-src) – Acts as a fallback policy for any type of resource not covered above.\ When in doubt, set this to 'self' to restrict everything to your domain unless explicitly whitelisted elsewhere.

💡 When a Resource is Blocked If your browser’s console shows an error such as: Refused to load the script from 'https://example.com' because it violates the Content Security Policy directive: "script-src 'self'" That means WordSentinel is actively protecting your website — the CSP is doing its job.\ To resolve the issue, simply copy the indicated domain (https://example.com) and add it to the corresponding source list (e.g. “Script Sources”) in the Advanced CSP tab.\ Save your changes, refresh your site, and the resource will load securely while keeping full CSP protection active. WordSentinel’s premium CSP module is designed to make advanced header configuration safe and understandable, even for non-developers — giving you both control and peace of mind.

1.2.1 – October 24, 2025

• Feature: Added plugin screenshots for the WordPress.org listing.
• Improvement: Added screenshot descriptions for better presentation on plugin page.
• Fix: Minor alignment adjustments in admin panels.

1.2.0 – October 24, 2025

• Feature: Added hashing support for inline style tags in CSP.
• Improvement: Enhanced admin UI with asynchronous panel loading and smooth animations.
• Improvement: Centralized all license management logic in a single class.
• Improvement: Implemented 24-hour caching for license validation to reduce API requests.
• Improvement: Refined license validation messages and overall flow.
• Improvement: Excluded Divi Builder admin pages from CSP enforcement for compatibility.
• Improvement: Adopted Mozilla Observatory color palette for grade visuals.
• Improvement: Optimized execution order and structure of admin-script.js.
• Improvement: Completed translations in six languages (EN, FR, DE, ES, IT, PT-BR).
• Fix: Minor visual inconsistencies in the grade display panels.

1.1.0 – June 6, 2025

• Feature: Introduced premium features and subscription-based licensing system.
• Feature: Added advanced CSP management tools for premium users.
• Improvement: Enhanced security scanning with automated reporting.
• Improvement: Integrated secure license key validation and JWT handling.
• Improvement: Updated admin interface with clearer notices and refined UX.
• Improvement: Localized all plugin assets to remove CDN dependencies.
• Fix: Improved sanitization, nonce verification, and escaping across admin forms.
• Fix: Minor styling and layout inconsistencies.

1.0.2 – March 1, 2025

• Improvement: Confirmed compatibility with WordPress 6.8.

1.0 – February 2025

• Feature: Initial release with Mozilla Observatory integration.
• Feature: Added dashboard view and retry functionality with cooldown protection.