Skip to content

Security Overview

The security manager can whitelist a token/IP, enforce token and IP rates, limit length, match blocked words/IPs, detect patterns/behavior, score severity, block at a threshold, and flag the local log.

Security checks run before the plugin sends an accepted message to OpenAI. A whitelist can bypass checks; otherwise SmartSite evaluates IP blocks, rate, length, blocked phrases, automated content patterns, and token-based behavior. Detected reasons carry severity scores and can be logged, flagged, or blocked according to the configured action and threshold.

First, keep the master security system enabled. The useful result comes later when you save before using security tester, then review flagged conversations, because configuration values matter only when their effect can be seen in retrieval, a generated reply, visitor access, or the connected service.

Use the dashboard to reduce abuse and create review evidence while keeping false positives manageable.

Use this feature in the following situations:

  • You are preparing a public launch and need a layered baseline against abuse and unexpected cost.
  • You are reviewing why a message was allowed, flagged, or denied.
  • You need to tune a false positive without disabling unrelated protections.
WordPress locationWordPress Dashboard → AI Website Chat → Security
  • SmartSite Assistant is installed and activated.
  • You are signed in with an account that can manage WordPress options.
  1. Keep the master security system enabled.
  2. Review current defaults before editing.
  3. Test token/IP rate and message length with safe inputs.
  4. Add narrowly scoped blocked words or IP entries only when required.
  5. Review automated detection patterns and severity weights.
  6. Choose threshold/action based on testing.
  7. Save before using Security Tester, then review Flagged Conversations.

Security controls protect the service and its visitors; they are not a method for teaching the AI better answers. Limits and detections can stop or flag risky input before or around processing, while logs support review. Settings that are too strict can block legitimate questions, so the goal is a tested balance that preserves useful conversations without exposing cost, data, or actions unnecessarily.

Fields, controls, and important values
Field, control, or statusWhat SmartSite Assistant does with itHow to use it and why it matters
Master enabled Default on; gates the security checks. “Master enabled” controls whether this part of the workflow runs or appears. Its effect on responses depends on the feature—some switches change available knowledge or tools, while others only change presentation or protection—so perform the page-specific test.
Whitelist Exact token or IP match bypasses all checks. “Whitelist” defines an audience or assistant scope, not permission to disclose sensitive information. Keep the scope as narrow as practical, test one allowed and one denied case, and enforce real authorization inside every data-returning tool.
Severity defaults Low 1, Medium 3, High 5, Critical 10. “Severity defaults” is meaningful only with its stated unit and the behavior it triggers. Compare representative traffic before and after a change, because a lower threshold often acts sooner without making the AI itself more accurate.
Automated threshold/action Default threshold 10 and action Flag. Interpret “Automated threshold/action” with the unit, range, and default shown beside it. Change one boundary at a time and test just below and above it; tighter numbers may protect cost or safety but can also remove legitimate context or activity.
Logging Flags below the blocking threshold are still attached to allowed turns; blocked attempts are also logged. “Logging” contributes this safeguard or review signal: Flags below the blocking threshold are still attached to allowed turns; blocked attempts are also logged. It does not improve a permitted answer; it changes whether activity continues, is flagged, or remains available for investigation.

After saving Security Overview, repeat the final test with clean context. That distinction matters because WordPress can store a valid value even when remote processing, access rules, caching, or delivery prevents it from influencing the real experience.

Keep a critical jailbreak score at 10 with threshold 10 so a matched default jailbreak pattern reaches the configured action.

  • Change one part of Security Overview at a time and keep a short record of the previous value and test result.
  • Include ordinary near-matches in every test so protection is not tuned only against deliberately obvious abuse.
Common problems and focused checks
ProblemWhat to check and what to do next
Security Overview is missing or does not match this guide. Confirm the plugin is active and the account can manage WordPress options. Reproduce the exact message safely and identify the matching limit, pattern, score, address, or whitelist entry.
A change on Security Overview does not produce the expected result. Keep the exact notice and test case, then review the browser console and WordPress/PHP log. Reproduce the exact message safely and identify the matching limit, pattern, score, address, or whitelist entry.
Security Overview
Capture
Show the Security dashboard summary and configuration navigation with default threshold/severity cards visible, no conversation content.
Show
Master state, rate/length summaries, threshold/action, severity weights, Flagged Conversations link
Viewport
Desktop, 1440 × 900
Annotate
Use numbered callouts only for controls referenced in the procedure.
Redact
OpenAI keys, tokens, secrets, personal information, private URLs, IP addresses, and conversation text