Security & Best Practices

Security & Best Practices

To ensure the secure and optimal operation of the Supervised AI Bots plugin on your WordPress site, follow these security guidelines and implementation best practices.

Data Integrity & URL Safety

The plugin functions by embedding external chatbot interfaces via iframes. To maintain a secure environment for your visitors:

• Use HTTPS Only: Always use https:// protocols when adding bot URLs in the settings page. Using non-secure http:// links may trigger "Mixed Content" warnings in modern browsers, causing the chatbot to fail to load or compromising the security of user interactions.
• Verify Sources: Only input URLs from trusted Supervised AI domains. Avoid adding third-party scripts or URLs that have not been verified by your organization, as these could lead to cross-site scripting (XSS) risks.
• Validate Input: Ensure there are no trailing spaces or special characters in the textarea within the settings interface. Each URL must be on its own line for the shortcode ID mapping to function correctly.

Shortcode Implementation

When deploying chatbots using the [supervised_ai_bot] shortcode, adhere to the following practices:

• ID Mapping: The id attribute corresponds to the row number of the URL in your settings (starting at 1). If you rearrange the list of URLs in the settings page, you must update your shortcodes across your posts and pages to reflect the new order.
• Conflict Prevention: Avoid placing multiple chatbot shortcodes on the same page unless specifically required. Since the bot UI utilizes a fixed-position popup (.popup-container), multiple bots may overlap and hinder the user experience.

Iframe & Content Security Policy (CSP)

If your WordPress site uses a Content Security Policy (CSP) header, you must whitelist the Supervised AI domains to allow the iframe to load.

Example of a CSP modification for your server configuration:

Content-Security-Policy: frame-src 'self' https://supervised.co *.supervised.co;

Access Control & Permissions

By default, the "Supervised AI Bots" settings page is restricted to users with administrative privileges.

• Restrict Settings Access: Ensure that only authorized personnel have the manage_options capability.
• Audit Bot URLs: Regularly review the list of configured URLs in the plugin settings to ensure no unauthorized endpoints have been added.

UI & Performance Best Practices

• Mobile Visibility: The chatbot popup is set to a fixed width of 400px and a height of 670px. Ensure your site’s mobile theme does not have elements (like "Back to Top" buttons) that conflict with the .circle-button located at the bottom-right of the screen.
• Z-Index Management: The plugin uses a z-index of 9999 for the launcher button and 1001 for the popup. If your site's header or other overlays are appearing on top of the chatbot, you may need to adjust your theme's CSS.

Licensing & Compliance

This plugin is licensed under the GNU General Public License v2 or later.

• Open Source Adherence: You are free to modify and redistribute the plugin under the terms of the GPLv2.
• Attribution: Maintain the original credits in the README.md and plugin headers when creating forks or derivative works.
• Data Privacy: Since the chatbot interacts with users, ensure your site's Privacy Policy reflects that a third-party service (Supervised AI) is processing chat data.