MFA v1.7: Hardening Checks and Nginx Directives

MFA v1.7 added two significant features beyond TOTP authentication: a comprehensive hardening checks system and a visual Nginx directives generator for Plesk. Both were born from real MSP operational needs.

Hardening Checks

10+ automated security scans: file permissions on wp-config.php, debug log exposure via HTTP, database table prefix check, SSL enforcement status, PHP version against known CVEs, REST API user enumeration, XML-RPC status, .htaccess integrity, directory listing exposure, and more. Each check returns a clear pass/fail with a one-click remediation button where applicable.

Nginx Directives Generator

The AJT stack runs on Plesk with Nginx. .htaccess files are useless because Nginx does not read them. The directives generator scans the server environment, detects which AJT plugins are installed, and generates production-ready Nginx directives: deny-all blocks for sensitive directories, PHP execution blocks in uploads, rate limiting zones, security headers, and AJT-specific protections for plugin data directories.

The generator registers a filter that other AJT plugins hook into. When Fortify is installed, it contributes its data directory protection rules and WAF bypass headers to the generator output. When Backup is installed, it adds protection for backup staging directories. Each plugin enriches the generated directives without MFA needing to know the details.

IP Rate Limiting

A transient-based rate limiter on the authenticate hook tracks failed login attempts per IP. After 5 failures (configurable), the IP is locked out for 15 minutes. It also blocks XML-RPC authentication when 2FA is active, closing the bypass that most MFA plugins ignore. Fortify’s sentinel operates at a higher level (before WordPress loads), but MFA’s rate limiter provides application-level protection when Fortify is not installed.