{"id":333056,"date":"2026-07-01T09:39:51","date_gmt":"2026-07-01T09:39:51","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/nubivio-salus-security-hardening-for-healthcare\/"},"modified":"2026-07-01T13:06:35","modified_gmt":"2026-07-01T13:06:35","slug":"nubivio-healthcare-security-hardening","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/nubivio-healthcare-security-hardening\/","author":23524354,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"2.2.0","stable_tag":"2.2.0","tested":"7.0","requires":"5.8","requires_php":"7.4","requires_plugins":null,"header_name":"Nubivio Healthcare Security Hardening","header_author":"Nubivio","header_description":"Security headers, a self-renewing security.txt (RFC 9116) and advanced form protection for healthcare related WordPress sites. Built for general practitioners, psychologists and other healthcare professionals. Recommended for NIS2, GDPR & NEN7510 compliance.","assets_banners_color":"142950","last_updated":"2026-07-01 13:06:35","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/github.com\/nubivio\/healthcare-security-hardening","header_author_uri":"https:\/\/nubivio.com\/","rating":0,"author_block_rating":0,"active_installs":0,"downloads":38,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"2.1.2":{"tag":"2.1.2","author":"nubivio","date":"2026-07-01 09:39:22"},"2.2.0":{"tag":"2.2.0","author":"nubivio","date":"2026-07-01 13:06:35"}},"upgrade_notice":{"2.2.0":"<p>Adds an optional Compliance tab. Existing hardening is unchanged.<\/p>","2.1.2":"<p>Adds listing assets (icon, banner, screenshot). No functional changes.<\/p>","2.1.1":"<p>Filesystem operations now use the WP_Filesystem API.<\/p>","2.1.0":"<p>Plugin renamed and code updated to meet WordPress.org review requirements. Settings move to Settings, Nubivio Security.<\/p>","2.0.0":"<p>First public release.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3592426,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3592426,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3592426,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3592426,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["2.1.2","2.2.0"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3592426,"resolution":"1","location":"assets","locale":"","width":1200,"height":1715}},"screenshots":{"1":"The Nubivio Security settings page: header status card with the live security.txt state, the security headers section with per-header toggles, and the RFC 9116 security.txt fields.","2":"The Compliance tab: compliance score, per-framework findings, site health checks and the security headers and security.txt evidence panels."}},"plugin_section":[],"plugin_tags":[19966,2846,34310,600,149750],"plugin_category":[54],"plugin_contributors":[269712],"plugin_business_model":[],"class_list":["post-333056","plugin","type-plugin","status-publish","hentry","plugin_tags-csp","plugin_tags-headers","plugin_tags-hsts","plugin_tags-security","plugin_tags-security-txt","plugin_category-security-and-spam-protection","plugin_contributors-nubivio","plugin_committers-nubivio"],"banners":{"banner":"https:\/\/ps.w.org\/nubivio-healthcare-security-hardening\/assets\/banner-772x250.png?rev=3592426","banner_2x":"https:\/\/ps.w.org\/nubivio-healthcare-security-hardening\/assets\/banner-1544x500.png?rev=3592426","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/nubivio-healthcare-security-hardening\/assets\/icon-128x128.png?rev=3592426","icon_2x":"https:\/\/ps.w.org\/nubivio-healthcare-security-hardening\/assets\/icon-256x256.png?rev=3592426","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/nubivio-healthcare-security-hardening\/assets\/screenshot-1.png?rev=3592426","caption":"The Nubivio Security settings page: header status card with the live security.txt state, the security headers section with per-header toggles, and the RFC 9116 security.txt fields."}],"raw_content":"<!--section=description-->\n<p>Security headers, a self-renewing security.txt (RFC 9116) and advanced form protection for healthcare related WordPress sites. Built for general practitioners, psychologists and other healthcare professionals. Recommended for NIS2, GDPR and NEN7510 compliance.<\/p>\n\n<p>Everything is managed from one settings page, and the defaults are safe to ship on a live site. The plugin is built to move your score on the internet.nl test in the right direction.<\/p>\n\n<p>It covers three areas:<\/p>\n\n<p><strong>Security headers<\/strong><\/p>\n\n<ul>\n<li>Strict-Transport-Security (HSTS) with configurable max-age, includeSubDomains and preload<\/li>\n<li>Content-Security-Policy with an internet.nl compliant baseline and a Report-Only test mode<\/li>\n<li>Referrer-Policy with the internet.nl rating shown per value<\/li>\n<li>X-Content-Type-Options (nosniff)<\/li>\n<li>X-Frame-Options<\/li>\n<li>Permissions-Policy<\/li>\n<li>Active removal of the deprecated X-XSS-Protection and Expect-CT headers<\/li>\n<\/ul>\n\n<p><strong>security.txt (RFC 9116)<\/strong><\/p>\n\n<ul>\n<li>Writes \/.well-known\/security.txt and serves it dynamically when the docroot is read-only<\/li>\n<li>Refreshes the Expires field automatically so it never lapses and stays under one year<\/li>\n<li>Fields for Contact, Encryption, Policy, Acknowledgments, Hiring (careers), CSAF, Preferred-Languages and Canonical<\/li>\n<li>Paste your PGP public key and the plugin hosts it at \/.well-known\/openpgp-key.txt and links it as Encryption automatically<\/li>\n<li>A free-text message to researchers and an optional signature line<\/li>\n<li>CRLF line endings and a valid Canonical URL, exactly as the internet.nl test expects<\/li>\n<\/ul>\n\n<p><strong>Gravity Forms (optional)<\/strong><\/p>\n\n<ul>\n<li>Block submissions from one or more email domains, with a custom error message<\/li>\n<li>The section only appears when Gravity Forms is active<\/li>\n<\/ul>\n\n<p>This plugin configures headers and a security.txt. It is one building block toward NIS2, GDPR and NEN7510, not a full compliance programme. It cannot change DNS or server level items such as IPv6, the CAA record, the TLS key-exchange hash or DANE. Those are handled at your host or DNS provider.<\/p>\n\n<h3>External Services<\/h3>\n\n<p>The core hardening features (security headers and security.txt) make no external requests. The optional Compliance tab, introduced in 2.2.0, uses the following external services only when you run a scan (manually or via the optional scheduled scan). Nothing here runs on normal front-end page loads.<\/p>\n\n<p><strong>WordPress.org Plugins API<\/strong><\/p>\n\n<p>When a compliance scan runs, the plugin looks up each active plugin in the WordPress.org Plugins directory to check update currency and compatibility.<\/p>\n\n<ul>\n<li>What is sent: the public plugin slug only (for example, \"akismet\"). No personal data, no site data.<\/li>\n<li>When: only during a manual or scheduled compliance scan.<\/li>\n<li>Endpoint: https:\/\/api.wordpress.org\/plugins\/info\/1.0\/{slug}.json and https:\/\/api.wordpress.org\/core\/version-check\/1.7\/<\/li>\n<li>Caching: results are cached in a transient for 12 hours.<\/li>\n<li>This is a first-party WordPress.org endpoint. Terms: https:\/\/wordpress.org\/about\/privacy\/<\/li>\n<\/ul>\n\n<p><strong>Loopback self-request (header and REST probe)<\/strong><\/p>\n\n<p>When a compliance scan runs, the plugin makes a request to its own home URL to verify that the configured security headers are actually being sent and to check whether the REST users endpoint exposes user data.<\/p>\n\n<ul>\n<li>What is sent: a normal HTTP GET to the site's own home URL. No third-party service is contacted.<\/li>\n<li>When: only during a manual or scheduled compliance scan, or admin\/cron context. Never on normal front-end page loads.<\/li>\n<li>Timeout: short (8 seconds). Result cached in a transient for 10 minutes.<\/li>\n<li>If the request fails (some hardened hosts block self-requests), the plugin falls back to showing configured values and reports that live verification was unavailable.<\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Upload the plugin folder to \/wp-content\/plugins\/, or install the ZIP via Plugins, Add New, Upload Plugin.<\/li>\n<li>Activate the plugin.<\/li>\n<li>Open Settings, Nubivio Security.<\/li>\n<li>Set a Contact value under security.txt.<\/li>\n<li>To pass the internet.nl Content-Security-Policy check, enable CSP, test in Report-Only, add the domains your site needs, then turn Report-Only off to enforce.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"will%20activating%20the%20plugin%20break%20my%20site%3F\"><h3>Will activating the plugin break my site?<\/h3><\/dt>\n<dd><p>No. HSTS, nosniff, X-Frame-Options, Referrer-Policy and Permissions-Policy are safe defaults. Content-Security-Policy is off by default because a strict policy needs tuning per site.<\/p><\/dd>\n<dt id=\"how%20do%20i%20get%20a%20fully%20green%20internet.nl%20result%3F\"><h3>How do I get a fully green internet.nl result?<\/h3><\/dt>\n<dd><p>Enable and enforce a Content-Security-Policy that fits your site, set Referrer-Policy to no-referrer or same-origin, and set a Contact for security.txt. IPv6, CAA, the TLS hash and DANE are out of scope and must be fixed at your host or DNS.<\/p><\/dd>\n<dt id=\"can%20i%20publish%20a%20pgp%20key%3F\"><h3>Can I publish a PGP key?<\/h3><\/dt>\n<dd><p>Yes. Paste your ASCII-armored public key in the security.txt section. The plugin hosts it at \/.well-known\/openpgp-key.txt and references it from security.txt as the Encryption field automatically.<\/p><\/dd>\n<dt id=\"does%20this%20make%20me%20nis2%2C%20gdpr%20or%20nen7510%20compliant%3F\"><h3>Does this make me NIS2, GDPR or NEN7510 compliant?<\/h3><\/dt>\n<dd><p>It covers the public web hardening part: transport security, browser protections and a vulnerability disclosure contact. It is a useful building block, not a full compliance programme.<\/p><\/dd>\n<dt id=\"is%20gravity%20forms%20required%3F\"><h3>Is Gravity Forms required?<\/h3><\/dt>\n<dd><p>No. The header and security.txt features work on any site. The form section only appears when Gravity Forms is active.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>2.2.0<\/h4>\n\n<ul>\n<li>New Compliance tab: CRA, GDPR and NIS2 scanning plus site health checks<\/li>\n<li>Live verification that configured security headers are actually sent<\/li>\n<li>security.txt and headers now scored and mapped to CRA \/ NIS2 \/ GDPR clauses<\/li>\n<li>Compliance score with per-framework breakdown<\/li>\n<li>Generators: Vulnerability Disclosure Policy, CycloneDX SBOM, EU\/NEN 7510 conformity declaration<\/li>\n<li>Printable compliance report (browser print to PDF, no added dependencies)<\/li>\n<li>Existing header and security.txt hardening unchanged<\/li>\n<\/ul>\n\n<h4>2.1.2<\/h4>\n\n<ul>\n<li>Added plugin icon, banner and a settings page screenshot for the WordPress.org listing<\/li>\n<\/ul>\n\n<h4>2.1.1<\/h4>\n\n<ul>\n<li>All filesystem reads, writes and deletes now go through the WP_Filesystem API and wp_delete_file()<\/li>\n<\/ul>\n\n<h4>2.1.0<\/h4>\n\n<ul>\n<li>Renamed the plugin to Nubivio Healthcare Security Hardening<\/li>\n<li>Admin CSS and JavaScript are now enqueued instead of printed inline<\/li>\n<li>The security.txt and PGP key files are now located via get_home_path() so they land at the public site root on subdirectory and custom installs<\/li>\n<li>Internal option, cron and nonce keys renamed to the new namespace<\/li>\n<\/ul>\n\n<h4>2.0.0<\/h4>\n\n<ul>\n<li>Settings page for all options<\/li>\n<li>internet.nl compliant Content-Security-Policy baseline with Report-Only mode<\/li>\n<li>Self-renewing security.txt with CRLF line endings and an expiry kept under one year<\/li>\n<li>Hosted PGP public key, linked from security.txt as Encryption<\/li>\n<li>Extra security.txt fields: Hiring, CSAF, researcher message and an optional signature<\/li>\n<li>Removal of deprecated X-XSS-Protection and Expect-CT headers<\/li>\n<li>Gravity Forms email-domain blocking, shown only when Gravity Forms is active<\/li>\n<\/ul>","raw_excerpt":"Security headers, a self-renewing security.txt (RFC 9116) and advanced form protection for healthcare related WordPress sites.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/333056","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=333056"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/nubivio"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=333056"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=333056"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=333056"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=333056"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=333056"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=333056"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}