The Solid Security Tools page provides you with powerful, one-time features designed to handle maintenance, configuration resets, and recovery actions. These features work directly on site configuration, files, and database.
Key Considerations #
Actions are immediate and affect the live site, so always proceed with caution when using the tools. Ideally, only run a tool after creating a fresh backup of your site.
Backups are strongly recommended before running tools that modify critical items such as encryption keys, user IDs, or database prefixes.
Accessing Tools #
Navigate to your WordPress dashboard > Security > Tools page to see the available Solid Security tools on your site, based on your plugin configuration.
Each tool includes a description of what it does, optional inputs (if needed), a run button to execute the task which returns a message showing success, warning, or error (after execution).
Import and Export #
The Import and Export tools make it easy to replicate security settings across different sites.
- Import Settings – Apply a previously exported Solid Security configuration (JSON file) to the current site.
- Export Settings – Download the site’s current Solid Security configuration for backup or reuse elsewhere.
Additional Tools #
Encryption Key Management #
The Encryption Key tools control the secret key Solid Security uses to encrypt sensitive data. Managing this key helps keep stored secrets secure.
Set Encryption Key #
Generate and save a new ITSEC_ENCRYPTION_KEY. If encryption is already active, existing encrypted secrets are re-encrypted using the new key.
Rotate Encryption Key #
Re-key existing encrypted data using the previously known encryption key. This is typically done after a manual key change.
MU-Plugin Loader #
The MU-Plugin loader tools ensures Solid Security runs as early as possible during WordPress’s boot process, which is useful for environments that require early initialization.
Create MU Plugin Loader #
Running this tool adds a loader file in wp-content/mu-plugins/ so Solid Security initializes on your site sooner.
Remove MU Plugin Loader #
Deletes the previously created MU loader file from the mu-plugins directory.
Server Identification and Admin User Hardening #
Identify Server IPs #
This tool detect and store the server’s IPs via DNS and loopback, improving IP detection behind proxies or CDNs.
Change “admin” Username #
Changes the default admin user to a unique, unused username.
Change User ID 1 #
Recreates the user with ID 1 so no account remains with ID 1, updating all associated references (posts, usermeta, comments, and links).
File and Configuration Rules #
These tools refreshes Solid Security’s rules in critical configuration files to ensure they are up-to-date and correctly applied.
Server Config Rules #
The Regenerate Server Config Rules rewrites security-related directives in .htaccess or equivalent server configuration files.
wp-config.php Rules #
The Regenerate WP-Config Rules rewrite’s Solid Security’s rules in wp-config.php to align with the current plugin configuration.
Database and Authentication #
These tools improve security by changing database identifiers and regenerating authentication salts, both of which disrupt common attack methods.
Change Database Table Prefix #
Running the Change Database Prefix tool generates a new random database table prefix, update wp-config.php, rename all affected tables, and adjust references.
Change WordPress Salts #
Running the Change WordPress Salts regenerates the WordPress authentication salts, which invalidates all existing user sessions and strengthening cookie security.
System Health #
These tools check the site’s file system and hosting environment to confirm whether best practices are being followed.
Check File Permissions #
Running Check File Permissions compares the current file and directory permissions against Solid Security’s recommendations and provides a report. Note that the report generated is only a guide and it’s important to align with your hosting provider’s recommended file and folder permissions.
File permissions play a critical role in both security and functionality.Incorrect settings can expose your site to unauthorized changes, or block plugins and WordPress itself from writing necessary updates.
File permissions determine who can read, write, and execute files, while file ownership controls which user these permissions apply to.
While recommendations vary by host, common settings are:
- Directories: 755 – owner can write; others can read and execute.
- Files: 644 – owner can read and write; others can read.
- Critical files (e.g.,
wp-config.php,.htaccess): 444 – read-only for everyone if no edits are expected.
Always ensure that file permissions align with your host’s server configuration and security policies, using Solid Security feature’s recommendation only as a baseline.
For a more detailed explanation of how WordPress file permissions work and why they matter, check out this post: WordPress File Permissions: 8 Things to Know
Security Check Pro #
Runs a scan of the hosting environment, checking items such as SSL availability and IP header support, and provides recommendations.
Frequently Asked Questions #
Why can’t I see all the tools? #
Some tools only appear when conditions are met. For example, the user hardening tool “Change “admin” Username” only shows if the vulnerable user exists on your site.
Can I run a tool more than once? #
Yes, it’s okay to run a tool more than once. Some tools (like regenerating rules) may have little effect if nothing has changed, while others (like encryption resets) may require confirmation.
Is WP-CLI supported? #
Certain tasks, such as encryption key rotation on large sites, can be run more efficiently via WP-CLI, though the Tools screen provides the same functionality within your WordPress dashboard.
