16. Februar 2026

Getting Started with WPSEC PRO Auto-Fix

WPSEC PRO Auto-Fix automatically resolves common security findings without manual intervention. This tutorial explains how it works and how to use it safely.

How Auto-Fix Works

Auto-Fix uses cryptographically signed execution tokens to apply security fixes:

1. The WPSEC server generates a signed, time-limited, single-use token for each fix.
2. The plugin verifies the token signature using Ed25519 cryptography.
3. The fix is applied only if the token is valid and not expired.
4. An undo snapshot is created before any changes are made.

Using Auto-Fix

1. Run a hardening scan from WPSEC → Hardening.
2. Look for findings with the Auto-Fix Available badge.
3. Review what the fix will change.
4. Click Auto-Fix to apply the fix.
5. Verify the fix was applied successfully.

What Can Be Auto-Fixed

• File permission corrections
• Security header configuration
• Directory listing prevention
• PHP configuration hardening
• WordPress configuration improvements

Undo a Fix

If an auto-fix causes issues:

1. Go to WPSEC → Hardening.
2. Find the applied fix in the history.
3. Click Undo to revert to the pre-fix state.

Security of Auto-Fix

Auto-Fix is designed with security as the top priority:

• Signed tokens — Each fix requires a cryptographically signed token that cannot be forged.
• Single-use — Tokens can only be used once, preventing replay attacks.
• Time-limited — Tokens expire after a short window.
• Undo snapshots — Every fix can be reverted.

Tip: Start by auto-fixing low-severity findings to build confidence with the system before tackling critical fixes.