Titan Anti-spam & Security - Settings Reference

Titan Anti-spam & Security is a WordPress plugin that provides spam protection, brute force login prevention, security hardening, site backups, two-factor authentication, and vulnerability scanning. You can find all plugin settings in the WordPress admin under the Titan Security top-level menu item.

Dashboard

The Dashboard is the landing page you see when you open Titan Security. It does not contain configurable settings. It shows an anti-spam statistics card summarizing how many spam comments the plugin has caught, along with a Security Audit panel.

Security Audit

The Security Audit panel lets you run an on-demand scan of your site. When you click Scan Now, the plugin checks your WordPress installation for common security issues such as exposed version numbers, weak file permissions, and outdated software. Results appear as a list of findings with severity indicators. You can hide individual audit items you have already addressed or choose to ignore; hidden items remain accessible behind a collapsible "hidden items" toggle.

After scanning, two tabs appear inside the audit panel:

Security Audit shows configuration warnings the plugin detected. Each item includes a title, description, and in some cases a one-click fix button. Results are cached for five minutes and refresh automatically on the next page load after expiry.

Vulnerabilities shows known vulnerabilities in your installed plugins and themes. Vulnerability data is cached for 12 hours and is also cleared automatically when plugins or themes are updated, activated, or removed. This tab requires a Pro license to view results; free users see a Pro badge on the tab.

The premium plugin adds a file and folder permissions check to the audit. When the scan detects files or folders with incorrect permissions, it flags them with a medium-severity warning titled "The files/folders have wrong permissions" and offers a fix button that sets directories to 0755 and files to 0644. This check and its fix button are only available with a Pro license.

Anti-Spam

Base Options

Anti-spam mode

When enabled, the plugin actively filters incoming comments for spam across your entire site. Turn this off only if you want to temporarily suspend all spam protection, for example during testing or if another spam plugin is handling filtering.

Save spam comments

When enabled, the plugin saves detected spam into the WordPress spam comments section instead of silently discarding it. This is useful when you first install the plugin and want to verify it is correctly identifying spam. If your site receives heavy spam traffic, you may want to disable this to avoid cluttering the spam folder.

Show privacy policy link under your comment forms

When enabled, the plugin displays a link to your site's Privacy Policy page beneath comment forms, informing visitors how their comment data may be processed. This setting appears disabled with a note reading "Your site needs a Privacy Policy page before this option can be used" if you have not yet created a Privacy Policy page in WordPress. You can click the Open Privacy Settings button that appears in that case to set one up.

Analyze comments for spam using Machine Learning

When enabled, the plugin uses advanced Machine Learning algorithms to detect spam comments with higher accuracy, marking comments as spam based on patterns learned from large datasets. This goes beyond the standard filtering and catches more sophisticated spam. This setting is Pro only.

Backup

This entire page requires a Pro license. Free users see a disabled preview of the controls with an upgrade banner.

Backup Settings

Backup Schedule

Controls how often the plugin automatically creates backups. The options are Manually (no automatic backups), Every 2h, Every 8h, and Daily. Choose a frequency that matches how often your site content changes. More frequent backups use more server resources and storage space, but give you more recent restore points. When set to Manually, you create backups only by clicking the Create New Backup button. This setting is Pro only.

Remove Old Archives

When enabled, the plugin automatically deletes backup archives older than seven days. Turn this on if you want to keep storage usage under control, especially when using frequent automatic backups. If you prefer to manage backup retention yourself, leave this off. This setting is Pro only.

Backup Speed

Controls how many files the plugin processes per iteration during a backup. Three modes are available: Slow (100 files per iteration), Fast (500 files per iteration), and Custom (you enter your own number). Higher speeds complete backups faster but place more load on your server. If your hosting provider enforces strict resource limits or you notice timeouts during backup, use Slow or a low custom value. This setting is Pro only.

Backup Storage

Backup Storage

Determines where backups are stored. Three options are available:

• Local stores backups on your server in the WordPress uploads directory. No additional configuration is needed, but your backups are only as safe as your server.
• FTP stores backups on a remote FTP or SFTP server. When selected, you must provide the Host, Port (21 for FTP, 22 for SFTP), Username, Password, and Remote Path. The plugin auto-detects whether to use FTP or SFTP based on the port number.
• Dropbox stores backups in your Dropbox account. When selected, you click Authorize Dropbox to connect via OAuth. Once connected, a green indicator shows "Dropbox connected" and you can disconnect at any time.

This setting is Pro only.

Backups

This section lists all existing backups in a table showing Date, Size, Storage location, and Actions. You can download or delete individual backups. When a backup is in progress, a progress bar appears with the current percentage and an Abort button. Multi-part backups (large sites split across multiple ZIP files) trigger a sequential download of each part.

Two-Factor

This page requires a Pro license. Free users see a disabled preview with an upgrade banner.

Setup Authenticator App

When two-factor authentication has not yet been activated for your account, this card walks you through setup in three steps. First, download a TOTP-compatible authenticator app such as Google Authenticator or Authy. Second, scan the displayed QR code with your app, or click Copy to copy the secret key for manual entry. You can click Refresh QR Code to generate a new secret if needed. Third, enter the six-digit code from your authenticator app and click Verify & Activate to complete setup.

Backup Codes

Once two-factor authentication is active, this section displays one-time recovery codes you can use if you lose access to your authenticator device. Used codes appear with a strikethrough. You can copy all active codes to your clipboard or click Regenerate to create a new set, which is also emailed to you. Store these codes somewhere safe and separate from your device.

IP Whitelist

Lets you skip the two-factor prompt for trusted IP addresses. Enter one IP address or CIDR range per line. When you log in from a whitelisted IP, the plugin does not ask for a second factor. This is convenient for office networks or other locations you control, but reduces security for those connections.

Disable Two-Factor Authentication

A single button that removes two-factor authentication from your account. You must confirm the action before it takes effect. You can re-enable two-factor authentication at any time by going through the setup process again.

User Management

This section is visible to administrators and shows a table of all site users with their two-factor status (Active, Pending Setup, or Inactive). Administrators can enable or disable two-factor authentication for individual users and regenerate backup codes on their behalf. A search field lets you filter users by name. This is useful for enforcing two-factor authentication across your organization or helping users who have lost access to their authenticator app.

Two-factor settings also appear on each user's WordPress profile page (Users > Profile or Users > Edit User) under a Two-Factor Authentication heading. The profile view shows the current status (Enabled, Pending Setup, or Disabled), the QR code and setup flow when pending, the Regenerate TOTP Secret button when active, and the list of restore codes.

Security

Settings

Base Settings

Strong Password Requirement

When enabled, the plugin forces users to choose passwords rated as strong by the WordPress password meter. This prevents users from setting weak passwords that could be easily guessed. If your site allows public registrations, consider which roles you enforce this for using the minimum role setting below.

Strong Password Minimum Role

This dropdown only appears when Strong Password Requirement is enabled. It sets the lowest role that must use a strong password. The options are Administrator, Editor, Author, Contributor, and Subscriber. For example, setting this to Contributor means Contributors, Authors, Editors, and Administrators must all use strong passwords, but Subscribers do not. If your site invites public registrations, setting the role too low may frustrate new members who just want a simple account.

Hide author login

When enabled, the plugin blocks requests like yoursite.com/?author=1 that would normally redirect to an author archive page and reveal the author's username. Attackers use this technique to discover valid login names. Enabling this setting redirects those requests so the username is not exposed.

Disable XML-RPC

When enabled, the plugin disables the XML-RPC interface and removes the X-Pingback HTTP header. Pingbacks are automated notifications sent when another site links to yours, but they are frequently abused for spam and DDoS amplification attacks. Unless you rely on XML-RPC for a mobile app, remote publishing tool, or a plugin like Jetpack that requires it, you should enable this setting.

Hide WordPress Versions

Remove HTML comments

When enabled, the plugin strips all HTML comments from your site's source code, except for special and hidden comments. Many plugins include their version number in HTML comments, which an attacker could use to find known vulnerabilities. Enable this if you want to remove those version fingerprints from your page source.

Remove meta generator

When enabled, the plugin removes the <meta name="generator"> tag from your site's <head> section. This tag normally advertises which version of WordPress you are running. Removing it makes it harder for attackers to target version-specific exploits. This setting is marked as recommended.

Remove Version from Script

When enabled, the plugin strips the version query string (for example ?ver=x.y.z) from all enqueued JavaScript file URLs. This prevents attackers from identifying the exact WordPress or plugin version through script URLs and also improves browser caching of those files. This setting is marked as recommended.

Remove Version from Stylesheet

When enabled, the plugin strips the version query string (for example ?ver=x.y.z) from all enqueued CSS file URLs. This prevents attackers from fingerprinting your WordPress or plugin version through stylesheet URLs and improves browser caching. This setting is marked as recommended.

Exclude stylesheet/script file names

A text area where you enter file URLs that should be excluded from the version removal performed by the two settings above, one URL per line. Use this if a specific script or stylesheet breaks when its version string is removed, which can happen with some caching setups or CDNs that use the query string for cache busting.

Limit Login Attempts

Enable Brute Force Protection

The master toggle for the brute force protection module. When enabled, the plugin tracks failed login attempts and temporarily locks out IP addresses or usernames that exceed the allowed retry limit. All settings below only appear when this toggle is on.

Lockout Settings

GDPR Compliance

When enabled, the plugin stops storing IP addresses in its login attempt records. Enable this if your site must comply with GDPR or similar privacy regulations. Note that enabling this means IP-based lockouts and IP whitelisting or blacklisting will not function, since the plugin will not record which IP made the attempt.

Allowed Retries

The number of failed login attempts a user or IP address is allowed before being locked out. The default is 4. Set this lower for tighter security or higher if legitimate users frequently mistype their passwords. The minimum value is 1.

Minutes Lockout

How many minutes a user or IP address is locked out after exceeding the allowed retries. The default is 20 minutes. A longer lockout discourages automated attacks more effectively but also locks out legitimate users who mistype their password for longer. The minimum value is 1 minute.

Hours Until Retries Are Reset

The number of hours before the failed login attempt counter resets for a given user or IP. The default is 12 hours. After this period, the user gets a fresh set of retries. Setting this higher means the attempt history persists longer, giving repeat offenders less opportunity to try again.

Whitelist

Whitelist IP Addresses

A text area where you enter IP addresses or IP ranges (one per line, using the format 1.2.3.4-5.6.7.8 for ranges) that should never be locked out by brute force protection. Use this for your own IP address, your office network, or any other trusted source. Whitelisted IPs can still fail login attempts without triggering a lockout.

Whitelist Usernames

A text area where you enter usernames (one per line) that should never be locked out. This is useful for service accounts or administrator usernames that you want to protect from accidental lockout, though it does reduce security for those accounts against brute force attacks.

Blacklist

Blacklist IP Addresses

A text area where you enter IP addresses or IP ranges (one per line) that should always be blocked from logging in, regardless of whether they have exceeded the retry limit. Use this to permanently block known malicious IPs that have attacked your site.

Blacklist Usernames

A text area where you enter usernames (one per line) that should always be blocked from logging in. This is useful for blocking common attack targets like "admin" or "administrator" if those are not real accounts on your site, or for blocking known compromised usernames.

Login Attempts Log

This page does not contain settings. It displays a table of login attempts tracked by the brute force protection module, showing the Date, IP address, the username the attacker tried, the Gateway (how the login was attempted), and an Action column. Locked entries show an Unlock button that lets you manually release a locked-out IP before the lockout period expires. Entries also show whether they have expired naturally or been manually unlocked. The table is empty until you enable brute force protection and failed login attempts occur.

Error Log

This page does not contain settings. It displays a scrollable viewer showing the plugin's internal error log. Two action buttons are available: Export Debug Information downloads the log as a file you can send to support, and Clean-up Logs permanently deletes all log entries. The clean-up button also shows the current log file size.

Settings

License

If the premium plugin is installed, this section shows your license status (Active or Inactive) and a field to enter or view your license key. When the license is inactive, enter your key and click Activate to unlock premium features. When active, the key is masked and a Deactivate button is available. If the premium plugin is not installed, this section shows an upgrade banner with a Get Premium button linking to the purchase page.

Advanced settings

Complete Uninstall

When enabled, deleting the plugin from the WordPress Plugins page also removes all of its settings and data from the database. Leave this off if you plan to reinstall the plugin later and want to keep your configuration. Enable it only when you are permanently removing the plugin and want a clean uninstall.

Send anonymous usage data

When enabled, the plugin shares anonymous usage statistics with the developer to help improve the product. No personal data is collected and data is never shared with third parties. You can safely disable this if you prefer not to share any data.

Import/Export

Import/Export settings

A text area that displays all current plugin settings in JSON format. To export your settings, copy the JSON content and save it. To import settings from another site, paste the JSON into this field and click Import options. The import and export exclude site-specific values such as backup storage credentials, backup status, and privacy policy page references, so these will not transfer between sites.