Access Control & Security Guide

Access Control Overview

Two Access Modes

1. Public Access (Default)

• Anyone can view and use the agent
• No login required
• Best for: Marketing tools, public services, lead generation

2. Login Required

• Only logged-in users can access
• Redirects to WordPress login
• Best for: Premium features, member-only tools, internal tools

Login Requirements

Enabling Login Requirement

Step 1: Edit Agent

1. Go to AI Agents > Edit Agent
2. Find Access Settings meta box (sidebar)
3. Check ☑️ "Require users to be logged in to access this agent"
4. Click Update

What Happens:

• Logged-out users see: "Login Required" message
• They're prompted to log in
• After login, they're redirected back to the agent

User Experience

For Logged-Out Users:

┌─────────────────────────────────┐
│   🔒 Login Required              │
│                                  │
│   You must be logged in to      │
│   access this AI agent.          │
│                                  │
│   [ Log In ] [ Register ]        │
└─────────────────────────────────┘

For Logged-In Users:

• Normal agent page displays
• Form is accessible
• Can submit and see results

Testing Access Control

Test as logged-out user:

1. Open incognito/private window
2. Visit agent URL
3. Verify "Login Required" appears

Test as logged-in user:

1. Log in to WordPress
2. Visit agent URL
3. Verify agent displays normally

Security Features

1. Nonce Verification

What it is:
Security token that prevents Cross-Site Request Forgery (CSRF) attacks.

How it works:

1. WordPress generates unique nonce
2. Included in form
3. Verified on submission
4. Invalid nonce = Rejected (403 error)

Automatic protection:

• ✅ Every form submission verified
• ✅ Multi-key nonce system (checks 6 locations)
• ✅ Time-based expiration (24 hours)

2. Input Sanitization

All form data is sanitized:

Text fields:

sanitize_text_field($input); // Removes HTML tags, scripts

Email fields:

sanitize_email($input); // Validates and cleans email

Numbers:

intval($input); // Converts to integer
floatval($input); // Converts to decimal

Files:

• MIME type verification
• File extension check
• Size validation

3. SQL Injection Prevention

All database queries use prepared statements:

$wpdb->insert(
    $table_name,
    array('data' => $value),
    array('%s') // Type formatting prevents injection
);

• ✅ Never concatenates user input into SQL
• ✅ Automatic escaping
• ✅ Type validation

4. XSS Prevention

All output is escaped:

HTML content:

echo esc_html($user_input); // Converts <script> to &lt;script&gt;

Attributes:

<input value="<?php echo esc_attr($value); ?>">

URLs:

<a href="<?php echo esc_url($link); ?>">

5. File Upload Security

Multiple security layers:

Client-side:

• File type validation
• Size limit check (25MB)
• Total size check (100MB)

Server-side:

• MIME type verification
• Extension whitelist
• Content validation
• No executable files allowed

Blocked file types:

.exe, .php, .sh, .bat, .cmd, .com, .pif, .scr, .vbs

Allowed file types:

.jpg, .jpeg, .png, .gif, .pdf, .doc, .docx, .xls, .xlsx

Best Security Practices

For Site Owners

1. Use HTTPS

Why: Encrypts data between user and server

How to enable:

• Use SSL certificate (free via Let's Encrypt)
• Force HTTPS in WordPress settings
• Update all URLs to https://

// In wp-config.php
define('FORCE_SSL_ADMIN', true);

2. Keep WordPress Updated

Best practice:

• ✅ Update WordPress core regularly
• ✅ Update plugins monthly
• ✅ Update themes quarterly
• ✅ Enable auto-updates for security patches

3. Strong Passwords

Requirements:

• Minimum 12 characters
• Mix of uppercase, lowercase, numbers, symbols
• No dictionary words
• Unique per site

Use password manager:

• 1Password
• LastPass
• Bitwarden

4. Limit Login Attempts

Install security plugin:

• Wordfence
• Sucuri
• iThemes Security

Configure:

• Max 5 login attempts
• 30-minute lockout
• Email notifications

5. Regular Backups

Backup schedule:

• Database: Daily
• Files: Weekly
• Test restore: Monthly

Backup solutions:

• UpdraftPlus
• BackupBuddy
• VaultPress

For Webhook Security

1. Use Webhook Secrets

In n8n workflow:

// Add verification
const signature = req.headers['x-signature'];
const secret = 'your-secret-key';
const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(JSON.stringify(req.body))
    .digest('hex');

if (signature !== expectedSignature) {
    return { error: 'Invalid signature' };
}

2. Validate Input in Webhook

In n8n Code node:

const formData = $json.body.form_data;

// Validate required fields
if (!formData.field_email) {
    return { error: true, message: 'Email required' };
}

// Validate email format
const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
if (!emailRegex.test(formData.field_email)) {
    return { error: true, message: 'Invalid email' };
}

// Validate input length
if (formData.field_description.length > 5000) {
    return { error: true, message: 'Description too long' };
}

// Proceed with processing

3. Rate Limiting

Prevent abuse:

In n8n (using Redis):

const redis = require('redis');
const client = redis.createClient();

const userEmail = $json.body.form_data.field_email;
const key = `ratelimit:${userEmail}`;

// Check current count
const count = await client.get(key);

if (count && parseInt(count) > 10) {
    return {
        error: true,
        message: 'Rate limit exceeded. Try again in 1 hour.'
    };
}

// Increment counter
await client.incr(key);
await client.expire(key, 3600); // 1 hour

// Continue processing

4. Sanitize AI Prompts

Prevent prompt injection:

function sanitizePrompt(input) {
    // Remove control characters
    input = input.replace(/[\x00-\x1F\x7F]/g, '');

    // Limit length
    input = input.substring(0, 2000);

    // Remove common injection attempts
    input = input.replace(/ignore previous instructions/gi, '');
    input = input.replace(/system:/gi, '');

    return input;
}

const userPrompt = sanitizePrompt(formData.field_description);

For Users

1. Be Cautious with Personal Data

Avoid sharing:

• ❌ Social Security numbers
• ❌ Credit card numbers
• ❌ Passwords
• ❌ Bank account info

Safe to share:

• ✅ Name
• ✅ Email
• ✅ Company
• ✅ Project details

2. Use Unique Passwords

Don't reuse passwords:

• Each site should have unique password
• Use password manager
• Enable two-factor authentication

3. Verify SSL Certificate

Before submitting sensitive data:

1. Check for 🔒 padlock in browser
2. Click padlock → Certificate
3. Verify domain matches
4. Check certificate is valid

Advanced Access Control

Role-Based Access (Coming in v1.2)

Future feature:

• Restrict by WordPress role
• Example: Editors only, Subscribers only
• Custom role support

Configuration:

// Future implementation
$allowed_roles = array('editor', 'administrator');
$user_roles = wp_get_current_user()->roles;
$has_access = !empty(array_intersect($allowed_roles, $user_roles));

Membership Integration (Coming in v1.2)

Support for:

• MemberPress
• Restrict Content Pro
• Paid Memberships Pro

Example usage:

Agent: "Premium AI Image Generator"
Requires: Gold Membership or higher

Custom Permissions (Coming in v2.0)

Per-agent permissions:

• View
• Submit forms
• View results
• Download outputs

Per-user limits:

• Submissions per day
• File upload quota
• AI credits

Security Checklist

WordPress Security

• ☐ HTTPS enabled sitewide
• ☐ WordPress core updated
• ☐ Plugins updated
• ☐ Themes updated
• ☐ Admin username is NOT "admin"
• ☐ Strong passwords (12+ characters)
• ☐ Two-factor authentication enabled
• ☐ Login attempts limited
• ☐ Automatic backups configured
• ☐ Security plugin installed
• ☐ File permissions correct (644 files, 755 dirs)
• ☐ wp-config.php protected

Plugin Security

• ☐ Access control configured per agent
• ☐ Webhook URLs use HTTPS
• ☐ File upload limits set appropriately
• ☐ Allowed file types restricted
• ☐ Form validation working
• ☐ Nonce verification active
• ☐ Input sanitization verified
• ☐ Output escaping in place

Webhook Security

• ☐ Webhook secret configured (if supported)
• ☐ Input validation in workflow
• ☐ Rate limiting implemented
• ☐ Error handling in place
• ☐ Logging enabled
• ☐ No sensitive data in responses
• ☐ API keys secured
• ☐ HTTPS endpoints only

User Data

• ☐ Privacy policy published
• ☐ Terms of service published
• ☐ GDPR compliance (if EU users)
• ☐ Data retention policy defined
• ☐ User data deletable
• ☐ Consent checkboxes (if needed)
• ☐ Email notifications opt-in

Common Security Issues

Issue 1: Unauthorized Access

Symptom: Users accessing protected agents without login

Solution:

1. Verify "Require Login" is checked
2. Clear browser cache
3. Test in incognito window
4. Check user capability

Issue 2: CSRF Errors

Symptom: "Security check failed" on form submit

Solution:

1. Clear WordPress cache
2. Regenerate nonces (logout/login)
3. Check plugin conflicts
4. Verify nonce field in form HTML

Issue 3: File Upload Rejected

Symptom: "File type not allowed"

Solution:

1. Check file extension
2. Verify MIME type
3. Try different file
4. Check allowed types in config

Issue 4: XSS Vulnerability

Symptom: User-submitted content showing raw HTML/JavaScript

Solution:

1. Verify all output uses esc_html()
2. Check webhook responses
3. Update plugin if outdated
4. Report to plugin developers

Resources

Security Tools

WordPress Plugins:

• Wordfence Security
• Sucuri Security
• iThemes Security
• All In One WP Security

Testing Tools:

• WPScan (security scanner)
• Sucuri SiteCheck
• WordPress Security Scan

Password Managers:

• 1Password
• LastPass
• Bitwarden

Further Reading

• WordPress Security Best Practices
• OWASP Top 10
• WordPress Codex: Data Validation