Security Headers, Robots.txt and Advanced Network setting

Looking for end-user support?
This area is for Super Administrators and others interested in the overall management of WordPress sites and networks that we host.

>> Search our end-user support documentation here.

We have built many tools on top of WordPress that are available to our users.

Below is our documentation on how to use the tools that are intended for Super Admin users.

Advanced Network Settings

Advanced network settings provides greater control of your CampusPress network including control which users, or sites, can add Custom HTML and JS, enable the HTTP Strict Transport Security Header network wide, customize X-FrameOptions Header, control SEO settings for archive pages and modify robots.txt output.

Activate Advanced Network Settings

To use advanced network features, you first need to network activate the plugin as follows:

1.  Go to Plugins > Plugin Management in the network admin dashboard.

2.  Click on Network Activate next to Advanced Network Settings.

Click on Network Activate next to Advanced Network Settings.

3.  You should now see a new Advanced Settings menu item in the network admin dashboard.

Configure Advanced Network Settings

You configure your Advanced Network Settings in Settings > Advanced Settings in the network admin dashboard.

Restrict Custom Code

By default, all users are able to add embed code to posts, pages and text widgets. This option allows you to disable ability to add embed code to all sites or restrict it to specific sites or users.

Select Allow nowhere under "Allow Custom HTML and JS" by default to disable the ability to embed code to posts, pages and text widgets.

Headers

Headers allow you to enable the HTTP Strict Transport Security Header, customize X-FrameOptions Header, enable the X-Content-Type-Options header and configure the Content Headers.

By default, customize X-FrameOptions Header is set to off. Deny prevents sites on your CampusPress network from being embedded within an iFrame on any other service whereas same origin allows sites on your CampusPress network to only be embedded within an iFrame on another site hosted on your CampusPress network.

SEO Settings for archive pages

SEO Settings for archive pages is used to block or allow archive pages to be indexed by search engines.

SEO Settings for archive pages is used to block or allow archive pages to be indexed by search engines.

Google reCAPTCHA v2 & v3

This section allows Super Admins to configure a custom Google reCAPTCHA v2/v3 setup across the entire network. reCAPTCHA helps protect your network from spam and abuse, particularly on public-facing forms such as comments and logins.

To enable and configure Google reCAPTCHA v2/v3:

  1. Enter the following keys:
    • Google reCAPTCHA v2/v3 Key:
      Your public reCAPTCHA key (Site Key) obtained from the Google reCAPTCHA Admin Console.
    • Google reCAPTCHA v2/v3 Secret:
      Your private Secret Key from the same console.

Once set, the reCAPTCHA will be active where supported across the network—particularly useful for login forms and comment protection. Only reCAPTCHA v2 is currently supported.

Note: Ensure your keys correspond to reCAPTCHA v2, not v3 or Invisible reCAPTCHA. If you’re using a plugin that manages reCAPTCHA separately, this setting may be overridden or redundant.

Comments

This section allows Super Admins to globally disable WordPress comments across the entire network, while still offering the flexibility to allow comments on selected sites.
Options:

  • Network Disable Comments
    • On – Disables comments site-wide on all subsites in the network while also allowing individual sites to manage comment settings independently.
    • Off – Comments will be enabled site-wide.
  • Allow comments on the following sites:
    When the “Network Disable Comments” toggle is On, you can specify exceptions by entering a list of site IDs separated by commas. These sites will continue to have comments enabled.

This is useful when the majority of sites in your network do not require comments, but a few still do, such as class blogs or feedback forums.

Other

The Other section of the Advanced Settings plugin provides a set of additional controls to manage security, email behaviour, user roles, media handling, and more at the network level. These are useful for maintaining consistent behaviour across all subsites in a WordPress multisite network.

Disable Local Login

Toggle: On / Off
When enabled, this hides the “Guest Login” option from the login screen.

Use this to ensure users only log in via institution-provided Single Sign-On (SSO) or approved methods.

Modify robots.txt output

This option allows you to customise the robots.txt file for all sites on the network.

Example Input:

User-agent: YisouSpider2
Allow: /
User-agent: YisouSpider
Disallow: /

These lines are appended to the automatically generated robots.txt file for each site.
Note: Incorrect rules may block legitimate crawlers or expose private content. Use with caution.

Allow New Pages for Contributors

Toggle: On / Off
When enabled, users with the Contributor role are allowed to create and submit Pages (not just Posts) for review. By default, contributors can only submit posts pending review, can’t publish posts and can’t create pages.

Delete Email

This field allows you to customize the email sent to site owners when they request to delete their site.

Default Template:

Howdy ###USERNAME###,

You recently clicked the 'Delete Site' link on your site and filled in a form on that page.
If you delete your site, please consider opening a new site here some time in the future! (But remember your current site and username are gone forever.)
If you really want to delete your site, click the link below. You will not be asked to confirm again so only click this link if you are absolutely certain:

###URL_DELETE###
Thanks for using the site,
All at ###SITENAME###
###SITEURL###

Variables supported:

###USERNAME###
###SITEURL###
###SITENAME###
###URL_DELETE###

Default Media Link On Upload

Option: File / None / Attachment Page
This setting controls the default link applied to media uploaded via the Media Library.

For example, setting it to Default Media Link On Upload ensures that images link directly to the image file rather than an attachment page.

Network Email Sender

Specify the From Name used in all outgoing network emails.
Example: If set to “WordPress,” all system-generated emails will appear as sent from “WordPress”.

Notify When a User is Added

Toggle: On / Off
When enabled, Super Admins receive an email notification when a new user is added to a site via:

  • Users > Add New
  • Users > Site & User Creator

Disable “Forgot Password” Email to Super Admins

Toggle: On / Off
Disables the email notification sent to Super Admins when a user uses the “Forgot Password” feature.

This does not affect the password reset email sent to the user requesting the reset.

New User Notification Email

Customise the welcome message sent to users when they are added to a site.

Supported variables:

###USERNAME###
###SITEURL###
###SITENAME###

REST API Tweaks

When enabled, this setting disables the REST API endpoint for retrieving user data for unauthorised users.

  • Blocks: wp-json/wp/v2/users/ for non-authenticated users
  • Only users with the list_users capability will have access.

This improves privacy and reduces exposure of user data through the REST API.

XMLRPC Tweaks

Removes XML-RPC-related <link> tags from the <head> section of all sites in the network.
Helps reduce exposure to potential XML-RPC attacks and minimises unnecessary metadata.

Default Timezone

Set the default timezone string for all new sites on the network.
Each site can still update its timezone individually under Settings > General.

MIME Type Checking

Controls whether WordPress enforces MIME-type validation on file uploads.

  • Enabled for all users – Strict MIME type checking
  • Disabled for superadmins – Allows more flexibility for super admins.

Disabling MIME checking entirely can pose security risks by allowing potentially harmful files to be uploaded.

User Restrictions

Option: Switch Themes
Enable restrictions on specific actions for regular users (non-super-admins).
Currently supports restricting theme switching. Additional restrictions may be added in future versions.

Application Passwords

Toggle: Disable
Disables the Application Passwords feature for all users on the network.

Application passwords allow users to authenticate to the REST API without using their main login. credentials. Disabling improves security but may limit integrations.