All about the Solid Security Settings

Once you’re up and running with Solid Security, it’s helpful to have a clear understanding of how the settings work, individually.

The Settings section is your command center for customizing your Solid Security settings to meet your website’s needs.

Here, you can find essential options for global settings, module management, notifications, and fine-tune specific features like login and brute force protection. 

This document details each option you can find in Settings and equips you with ample knowledge on setting up the essential security features on your site.

Global Settings #

The Global Settings tab contains basic settings for plugin-wide features and controls how Solid Security functions.

Write To Files #

The write to files setting gives Solid Security the ability to write to your wp-config.php and .htaccess files.

How It Works:

When Write To Files is enabled, Solid Security schedules an hourly “flush” job that regenerates and writes the security rules to your config files. If disabled, the hourly flushing of rules does not take place.

Risks:

If your server’s storage is low, the scheduled write may fail or truncate file contents, potentially leaving the files in an unusable or empty state, causing a site to crash.

Best Practices:

• In the vast majority of cases, you’ll want to leave the Write To Files enabled (it’s enabled by default) since it’s one of the primary ways Solid Security actually secures your site. Ensure your server has enough disk space, especially on sites with this setting enabled.
• If you’ve experienced issues related to the file writing functionality (e.g. leaving config files empty or in an unfinished state), disable the Write To Files setting. Don’t worry, the existing rules in wp-config.php / .htaccess remain intact and the plugin will continue to work.
  • If using NGINX, remember rules are written to the configured NGINX file path and may require a reload.
• Maintain a known-good version of wp-config.php and .htaccess to restore quickly if something goes wrong.
• If Solid Security introduces new directives, you’ll need to add them yourself via Security > Tools. See here to learn more: All About Solid Security’s Tools

Lockouts #

Here, you’ll be able to manage the following functions of the Site Lockout feature:

• Length of time a host or user will be locked out from the site after hitting the limit of bad logins
• How many days should Solid Security remember a lockout
• How many attempts a user is permitted before being permanently banned are also adjusted here. 

The default configured values per setting are recommended for most sites, so you can leave them as is. 

Lockout Messages #

This lets you manage the messages the users will see when they encounter a lockout:

• Host Lockout Messages: This is the message that an IP address will see if they’re locked out of the site.
• User Lockout Message: This is the message a user will see if their specific username is locked out.
• Community Lockout Message: The message to display to a user when their IP has been flagged as bad by the Solid Security network.

Note: If the lockout screen displays the text “error“, this is not an indication of a system error. It is a fallback message that appears when a host/IP lockout occurs independently of a specific user. In this case, the User Lockout Message does not apply, so the plugin defaults to the general message, which displays the “error” text if no custom message has been set.

Customizing the Lockout Screen #

Out of the box, Solid Security does not include a built-in method to replace the entire lockout screen template. However, the default lockout text can be customized under Lockout Messages to provide more branded or user-friendly messaging.

For visual customizations, such as adding a logo, you can use the following hooks:

• itsec_lockout_template_before_actions – Inserts content before the action links on the lockout screen.
• itsec_lockout_action_links – Adds custom links or elements within the action section of the lockout screen.

You can utilize these hooks using a small must-use (MU) plugin or custom code snippet to adjust the lockout screen’s appearance.

Authorized IPs #

This is where you can whitelist an IP address to prevent getting locked out by Solid Security after triggering the Site Lockout conditions. 

It accepts single IP addresses (IPv4/IPv6) and IP ranges as input. To whitelist an IP range, you can use either the wildcard or CIDR notation formats. The IPs and IP ranges should be entered on separate lines.

Using the wildcard format is recommended, and here’s an example how to:

For:

64.233.160.0 64.233.191.255

Will be using a wild card since it’s including the whole range:

64.233.160.*

If using CIDR notation, a range like 64.233.160.0/24 can be added directly.

Automatically Temporarily Authorize Hosts: Enabling this option will prevent “Administrator” users from being locked out for 24 hours after they successfully log into the site.

Logging #

Here, you will be able to manage how your event logs are stored (File, Database, or both), the length of time they are kept, and the file path in which they are stored. 

IP Detection #

Solid Security relies on IP detection to identify visitors, apply firewall rules, and enforce lockouts. Correct configuration is especially important if your site is behind a proxy service like Cloudflare or a load balancer.

The “Proxy Detection” setting controls how Solid Security determines the IP address of an incoming request, which is crucial for Lockout and Brute Force protection.

• Security Check Scan (Recommended) – This method involves initiating an API request to SolidWP servers to identify the correct configuration
  — Cannot see this option?
  • Users of Solid Security Basic must enable “Security Check Pro” at Security -> Settings -> Features -> Utilities (tab)for the “Security Check Scan (Recommended)” option to be available.
• Unconfigured – Any specified proxy header will be used in a predetermined order.
  — Warning: choosing this option disables certain Firewall features because it is susceptible to IP spoofing.
  • In earlier versions of Solid Security, this option was labeled “Automatic (Insecure)”.
• Manual – Lets you choose the HTTP header that contains the client’s real IP. If using a Proxy service, make sure to configure the correct header, such as CF-Connecting-IP.
• Disabled – In cases where no Proxy setup exists on the server, this option should be selected. It ensures that the system consistently reads from REMOTE_ADDR

Correct IP Detection Behind Cloudflare #

If your site uses Cloudflare, configure IP Detection to the correct header to ensure that Solid Security is reading the right header:

1. Set Proxy to Manual.
2. Choose the header: HTTP_CF_CONNECTING_IP (Cloudflare best practice).
3. Avoid relying on HTTP_X_FORWARDED_FOR unless you’ve confirmed that it matches the true client IP.

Why High-Volume Traffic May Not Appear in Solid Security Logs #

If you’re seeing traffic spikes in your Cloudflare, Statify, or hosting provider tools but not in Solid Security, this behavior is expected and here’s why:

• Solid Security only logs requests when a security rule is triggered (firewall violation, brute force attempt, etc.).
• Firewall logs are event-based, not visit-based. This means that only violations are added to the security logs, and normal page visits aren’t.
• The Security Dashboard’s firewall block counts are driven by logs of actual blocked requests, not overall request volume.

UI Tweaks

This lets you hide the Security Messages Menu from the WordPress admin bar.

Now that you’ve covered the Global Settings, don’t forget to save your changes!

Features #

The Solid Security’s Features settings screen is divided into four major areas of security features that you can enforce on your site. Each of these areas contain different modules that you can turn ON/OFF all with different settings that you can tweak further. 

You can view the overview of each area below and links to more thorough documentation are provided where necessary for a deeper look into specific features.

Login Security #

In here, you can find the features that secures your site’s login functionality.  

Two Factor #

Enabling Two-Factor Authentication greatly increases the security of your WordPress user account by requiring additional information beyond your username and password in order to log in.

Privilege Escalation #

Allows administrators to temporarily grant extra access (Administrator or Editor privileges) to a user of the site for a specified period of time.

For example, a contractor can be granted developer access to the site for 24 hours after which his or her status would be automatically revoked.

To grant extra access, head to the user’s Profile page and find the setting within the Solid Security User Security UI

Note: When this setting is in place, the user’s displayed role will still be the same only their privileges are updated.

Passwordless Login #

Enable Passwordless Login to bypass the password and Two-Factor requirements upon login by allowing users to log in using Magic Links or Passkeys. 

The Magic Link email contains a special login link that redirects to the WordPress login page and it’s sent to the user’s registered email address shown in your user profile. 

Passkeys lets you log in using roaming or platform authenticators without the hassle of remembering passwords. 

Trusted Devices #

Trusted Devices identifies the devices users use to log in and can apply additional restrictions to unknown devices. More on information on Trusted Devices can be found here: Understanding Trusted Devices in Solid Security.

Passkeys #

Passkeys are a password-free login method that uses cryptographic keys stored on your device.  Users can log in with biometrics (platform authenticators) like Face ID, Touch ID, Windows Hello, WebAuthn, or physical security keys (roaming authentications) that their device supports.

Firewall #

The Firewall features help prevent bad users from brute forcing their way into your site.

Ban Users #

Enabling this lets you ban specific IP addresses and User Agents from accessing the site. When you open the dropdown on this setting, only the section for banning User Agents can be found. The specific section for banning IPs is located within the Security -> Dashboard page.

Note that the Ban Users module is not available if IP Detection has not been configured for your site. (See: I’m Getting a notice about “Feature unavailable” related to IP detection. What’s that about?)

Default Ban List #

Enabling Default Ban List adds the excellent ban list developed by Jim Walker of HackRepair.com. 

Enable Ban List #

Activating Enable Ban List gives you the option to limit the number of banned IP addresses in your server and lets you ban user agents.

Limit Banned IPs in Server Configuration Files #

Set the limit of banned IP addresses allowed in your Server Configuration Files (.htaccess and nginx.conf) to reduce the chances of having a server timeout. This is good for servers that are on limited resources and cannot handle large list of banned IPs within the server file. The default limit is 100.

Ban User Agents #

Enter specific User-Agent Strings that will not be allowed access to your site.

Firewall Rules Engine #

The Firewall module monitors traffic against known bad patterns (from Patchstack and your own rules).

This is where you configure the maximum number of firewall rules violations allowed per host/user within a set time period. If a visitor triggers too many violations their IP will be locked out.

Adjust the “Max Firewall Violations Per IP Address” and “Time period to remember violations” to match how strict you want the site’s protection to be.

Local Brute Force #

The Local Brute Force module limits how many failed login attempts are allowed before a lockout. Enabling this helps you protect your site against attackers who try to brute force their way into your site by guessing the login details randomly.

This module has a two-tier system:

1. Temporary Lockouts: After 5 failed attempts per IP (or 10 per user), the IP/user gets temporarily locked out for 15 minutes (triggering the Site Lockout Notification).
2. Permanent Bans: After 3 temporary lockouts are remembered within 7 days, the IP gets permanently banned and will be added to the Banned IPs card in the Security Dashboard.

Default configuration:

• 5 failed attempts per host (IP), or
• 10 failed attempts per user account will trigger a temporary lockout (15 minutes).
• If a host/user hits 3 temporary lockouts within 7 days, they’ll be permanently banned.

You can customize these thresholds via the “Max Login Attempts per IP/User” and “Minutes to Remember Bad Logins” fields.

Network Brute Force #

Enabling Network Brute Force lets you join Solid Security’s networks of sites that report against bad IPs on the internet.

How it works: Participating sites share data on malicious IPs. If an IP is flagged as abusive across the network, it can be immediately blocked on your site, even if the login attempt is technically valid.

Note that you must register an email address in the settings to get an automatic API Key.

Magic Links #

The Magic Links module enables an option to help you bypass a lockout if it’s triggered accidentally.

How it works: When a lockout is tied to a specific user, a “Send Magic Link” button will appear on the lockout page. Clicking it sends an email with a short-lived login link.

Limitations: Magic Links only appear when the lockout is tied to a known user account. If the lockout is IP-based (e.g., repeated 404s, generic host bans), the “Send Magic Link” button won’t be shown.

CAPTCHA #

Solid Security Pro’s CAPTCHA allows you to set and configure protection for login forms on your site. This helps with everything from malicious logins to Spam registrations, which is a common attack on sites that allow for users to register.

To dive deeper into the CAPTCHA settings, supported providers, and best practices, learn more here: Using Solid Security’s CAPTCHA.

Site Check #

File Change #

File Change Detection enables monitoring on what files have changed in your WordPress installation, alerting you to changes not made by yourself. This feature helps identify security breaches by alerting you when files change on your website, as malware typically adds, removes, or modifies files.

Site Scan Scheduling #

Automates the Site Scan to run four times per day if you use Solid Security, or every hour if you use Solid Security Pro. If a new vulnerability is found that wasn’t identified in the last scan, and the priority of the vulnerability meets the threshold as defined in your settings, an email will be sent to the admin or select users.

User Logging #

Enables the ability to log user actions such as logging in, saving content, and making changes to the site’s software.

Version Management #

Version Management automates updates to WordPress core, themes, and plugins, and tightens protections when a site is running outdated software. It also connects with vulnerability intelligence and the firewall to apply real-time protections.

Enabling Version Management places Solid Security in control of updates and disables WordPress’ default per-plugin/theme auto-update behavior. This avoids conflicts and gives more granular control over timing and risk.

Why use Version Management #

Keeping software updated is one of the most effective ways to prevent compromises. Version Management helps in two ways:

• Automatic updates with control. Apply updates immediately, delay them for a defined period, or disable auto-updates for specific components that require testing.
• Real-time protection for known vulnerabilities. When an update fixes a security issue, Version Management can automatically apply it. If no fix exists yet, the firewall’s virtual patching (via Patchstack) provides interim protection.

Use Version Management if you:

• Maintain multiple plugins/themes and want a predictable update policy.
• Need to delay high-impact releases but still patch security issues quickly.

Where to enable Version Management #

• In WordPress, go to Security > Settings > Features > Site Check > Version Management.
• Toggle Version Management On, then expand the settings.

Version Management Settings #

Core Updates #

Automatically install the latest WordPress release. Recommended for maintenance and security releases. Major releases should be applied after testing on complex sites.

Plugin & Theme Updates #

Choose how Solid Security handles each plugin and theme:

• Enable – Update as soon as a new version is available.
• Delay – Set a delay (in days) before applying an update. Useful for major releases that often get quick follow-ups.
• Disable – Exclude from auto-updates; you will update manually.

Auto Update If Fixes Vulnerability #

When the Site Scanner detects a known vulnerability and an update is available, Solid Security applies it immediately—regardless of any general delay setting.

Scan for Old WordPress Sites #

Detect additional WordPress installs on the same hosting account that may have been abandoned and are still vulnerable.

Real-Time Updates indicator on the Firewall page #

The Firewall screen shows a Real-Time Updates status:

• Active — Version Management is enabled. Vulnerability intelligence and virtual patching are in place, and update automation can act on scan findings.
• Inactive — Version Management is not enabled. Turn on Version Management to activate real-time protections and automation.

Firewall shows “Real-Time Updates Inactive.” #

• Go to Security > Settings > Features > Site Check > Version Management and enable it. Save settings, then refresh the Firewall page.
• Confirm the site is licensed and can reach SolidWP/Patchstack services (no outbound firewall blocks, no blocked REST requests).

Utilities #

Enforce SSL #

Ensure your website’s data is secure by forcing SSL connections with Solid Security Pro.

This enforces that all connections to the website are made over SSL/TLS by adding the CF-Connecting – define( 'FORCE_SSL_ADMIN', true); constant on your wp-config.php file. Note: This setting is not equivalent to an SSL certificate, so you still need to create one for your site.

Before You Begin: #

• Obtain an SSL Certificate: Ensure your website has an active SSL certificate. Contact your hosting provider if assistance is needed.

Best Practices #

• Test Your Website: After enabling forced SSL, thoroughly check your site for functionality, including identifying and fixing mixed content warnings.

Benefits of Forced SSL #

• Enhanced Security: Protects sensitive data, such as login credentials and payment information.
• Improved SEO: HTTPS improves search engine rankings.
• Increased Trust: Reassures users that their data is secure, especially for e-commerce sites.

Database Backups #

Regular database backups ensure you can recover your website’s content and settings in emergencies. While Solid Security Pro’s Database Backups feature provides an excellent redundancy layer, exploring a complete backup solution, such as Solid Backups — NextGen, is recommended for a more comprehensive approach to safeguarding your site.

This module gives you the ability to create a database backup or schedule automatic database backups. These backups can be saved locally on your server, emailed to you, or both.

Note: This setting won’t appear if you have Solid Backups – Legacy activated on the site.

How it works #

• The plugin first creates a raw .sql file of your database.
• If “Zip” is enabled, it attempts to compress that .sql into a .zip. If the zip succeeds, the .sql is deleted.
• Once the backup is written, the system prunes older backups, keeping only the number you specify in “Backups to Retain“.
• Retention only applies to backups stored locally. If you select Email Only, pruning is skipped.

Set the Backup Interval: Decide how often you want backups to run. Enter the number of days between backups in the “BACKUP INTERVAL” field. For example, entering “3” will create a backup every three days.

Choose Where to Save Backups:

• Save Locally and Email: This option saves a copy of your server’s backup and sends a copy to your email address.
• Email Only: This sends the backup only to your email address.
• Save Locally Only: This saves the backup only on your server.

Compress Backup Files (Optional):

• By default, Solid Security Pro makes your backup files smaller by zipping them. This usually helps, but if you have any problems with backups, you might need to turn this off.

Choose Which Tables to Back Up (Optional):

• Included Tables: List the specific database tables you want to include in the backup. WordPress core tables are always included automatically.
• Excluded Tables: List any tables you don’t want to include in the backup. This can be useful for very large tables, such as logs that are not critical.

Why Back Up Your Database #

Your WordPress database stores all your website’s content, settings, and user information. Regularly backing it up is crucial for these reasons:

• Protection against data loss: If your site crashes, gets hacked, or you make a mistake while updating, a backup lets you restore everything quickly.
• Easy migration: Moving your website to a new server is much simpler with a recent backup.
• Peace of mind: Knowing you have a safe copy of your data reduces stress and allows you to focus on other things.

Common Issues #

If you see raw .sql files piling up or pruning not working, the backup job likely isn’t reaching the zip + prune step. The following are the typical causes of this problem:

• PHP execution time too low (large DBs exceed 60s). See this guide on how to increase PHP execution time.
• Insufficient disk space for .sql + .zip.
• File permissions prevent deletion.
• WP-Cron timeouts or large tables slow the process.

Security Check Pro #

Determines the correct way to identify the IP addresses of your site visitors according to the server configuration. 

Note: This setting is only shown in Solid Security Basic. Solid Security Pro uses the Security Check Pro setting by default.

Geolocation #

Solid Security Pro uses Geolocation for the Trusted Devices module to help you identify suspicious login attempts. By showing you the approximate location of unrecognized logins, you can quickly assess potential threats and take action to protect your site.

This improves the Trusted Devices feature by connecting it to an external location/mapping API of your choosing.

Why Use Geolocation #

• Identify suspicious activity: See where unrecognized logins are coming from to determine if they’re legitimate or potentially malicious.
• Strengthen site security: Geolocation data adds another layer of information to help you assess and respond to potential threats.
• Peace of mind: Gain greater awareness of who is trying to access your site and from where.

Important Notes #

• Geolocation provides an approximate location, not an exact address.
• Keep in mind that some users might use VPNs or other methods to mask their true location.

Learn more about configuring Geolocation here.

User Groups #

The User Groups settings of Solid Security gives you the ability to set up different security settings for every User Group and create custom User Groups to fit your specific site needs. 

Modules in User Groups #

Below are the following features that can be enabled across User Groups. It is important to note that each of these settings needs to be enabled in the Security Modules section before they are able to be utilized in User Groups.

Manage Solid Security

• Allows users in this group to be able to manage Solid Security Settings. Only enable this for users that you would like to be able to make changes across the site.  (Only setting always available.)

Enable Dashboard Creation (Security Dashboard Module)

• Allows the users in the set group to enable the Security Dashboard. The Security Dashboard gives a real-time evaluation of the security activity on your site.

Strong Passwords (Password Requirements Module)

• Force users in this group to use strong passwords.

Refuse Compromised Passwords (Password Requirements Module)

• Forces users to use unique passwords that do not appear in any password breaches tracked by Have I Been Pwned.

Password Age (Password Requirements Module)

• Gives users in groups the ability to expire passwords and force them to be changed after a set amount of days.

Skip Two-Factor Onboarding (Two-Factor Authentication Module)

• Disables the forced use of Two-Factor Authentication for the selected users. We don’t recommend changing this from the default, as Two-Factor authentication is important for all users, not just administrators.

Application Passwords (Two-Factor Authentication Module)

• Use Application Passwords to allow authentication without providing your actual password when using non-traditional login methods such as XML-RPC or the REST API. They can be easily revoked and can never be used for traditional logins to your website.

Require Two-Factor (Two-Factor Authentication Module)

• Requires users in the selected group to use Two-Factor Authentication. It is highly recommended to enable this feature for any user who can make changes to the site.
• Note: This setting is only available when the “Email” method is allowed for users via Two-Factor module.

Allow Remembering Device (Two-Factor Authentication Module)

• Allows users to check the Remember this Device box. If checked, the module will not force the user to enter a Two-Factor Authentication code when logging in.
• You must enable the Trusted Devices module to enable this feature.

Enable Passwordless Login (Passwordless Login Modules)

• Send an email with a secure link that allows users to log in without entering a password.

Allow Two-Factor Bypass for Passwordless Login (Passwordless Login Modules)

• Gives users the option to bypass Two-Factor Authentication when using Passwordless Login.

Activity Monitoring (User Logging Module)

• Tracks and logs the activity of users selected in the User Group.

Trusted Devices (Trusted Devices Module)

The Trusted Devices feature identifies the device used to log in and can apply additional restrictions to unknown devices, such as capability restriction and session hijacking protection.

Customizing User Groups #

Creating a User Group #

Creating a new user group is a simple and straightforward process with the customizable User Groups feature. To create a new User Group, navigate to Security -> Settings -> User Groups and click the “+” icon. To name the new User Group, click the Edit Group tab beside Features, and enter the name in the input box under Group Name.

Now that the new User Group is created, you can select which features you would like to be enabled for that User Group.

Add Roles to Group by Capabilities (Preferred Method)

When creating a User Group, the most preferred method is to create a new group using the Capabilities checkbox. In the event that a new group is created by the installation of a plugin (WooCommerce, for example), any user with those capabilities will be included in this group. More information can be found in the Specific Examples section later in this article. The standard User Roles are Administrator, Editor, Author, Contributor, and Subscriber. 

After the group is created, you have the ability to select which Security features will be enforced on the users in that group. It is highly recommended to enable Two-Factor Authentication for any User Group that includes users or groups with the ability to make changes on the site.

Add/Remove Users in a User Group #

You have the ability to pick and choose which users will be in each group. Say you have one user with the Author role that you would like to have Administrator capabilities but do not want all Author roles to have Administrator capabilities. In this case, you could go to the Administrator User Group, scroll down to the Select Users section, and select the singular user you would like added to that group.

To remove users from the selected group, simply scroll down to the Selected Users section and click the “X” icon next to the user you wish to remove.

Making Changes to Multiple Groups #

It is possible to make changes to multiple groups at once. You can edit multiple User Groups at the same time by clicking Edit Multiple Groups.

For instance, you could have each member in the Editor, Author, and Contributor roles be required to use strong passwords. To do this, simply select the User Groups you want to be impacted and click the Strong Passwords box, then Save the settings.

Everybody Else

The Everybody Else User Group contains each user registered on your site that does not already belong to a specific group. Let’s say you only have two User Groups, one for Administrators and one for Editors, but you want Two-Factor Authentication to be enforced for every user that registers on your site.  In this instance, you can enable Two-Factor Authentication in the Everybody Else User Group so that each registered user must complete the Two-Factor Authentication method. For this example, each user that is not included in the Administrator or Editor User Group will be included in the Everybody Else User Group.

Changing User Group Names #

The standard group names are Administrator, Editor, Author, Contributor, and Subscriber. You can change these group names to anything you would like by going to the Edit Group tab, and then in the input box below Group Name, remove the text, and replace it with the custom text you would like to use. Once you have changed the name of the User Group, don’t forget to hit Save at the bottom of the page.

Specific Examples #

As mentioned above, there is a set standard of User Group names. But what if you want to install something like WooCommerce or LMSLifter that has its own user roles? Not to worry, User Groups adds in the new User Roles under the appropriate capabilities. The image below shows what your User Group capabilities will be with the standard user groups. 

Here’s how it would look with WooCommerce and LifterLMS:

Notifications #

The Notifications area lets you manage and configure email notifications sent by Solid Security related to various modules.

The first thing you see on the Notifications page is an option to change the From Email address and the Default Recipient list.

FROM EMAIL	Solid Security will send notifications from this email address. Leave blank to use the WordPress default.
Default Recipients	Set the default recipients for any admin-facing notifications.

It is best to leave the FROM EMAIL field blank unless using something like [email protected] versus your admin user email to avoid failures.

You can also use third-party services such as Sendgrid, Postmark, Mandrill, etc. and/or use an SMTP plugin, to better handle emails and avoid email delivery issues.

Email Notifications #

Security Digest #

During periods of heavy attack, Solid Security can generate a LOT of emails. Enabling Security Digest will reduce the number of emails sent so you can receive a summary of lockouts, file change detection scans, active & mitigated vulnerabilities and privilege escalations.

Note: You will need to disable the Lockout Notification if you do not want to receive a notification for each lockout.

Site Lockouts #

Enabling Site Lockouts will send emails to notify you when a user or host is locked out of your website.

Note: the Site Lockout Notification is “all or nothing” and if your site is experiencing a DDOS-style attack or other bot-driven login attack, having the Site Lockout Notification enabled can trigger an alarming number of emails. First: don’t panic. A Site Lockout Notification is a great sign that Solid Security is working. Next: there’s no danger in disabling this notification and relying on your dashboard for keeping track of lockouts.

Database Backups #

The Database Backups notification will send a copy of any backups to the email addresses you listed as the recipient. This is only available when the Database Backups module is activated and configured.

File Change #

The File Change module sends a File Change email containing a file scan report after changes have been detected compared to the last day’s scan. This is only available when the File Change module is activated and configured.

Unrecognized Login #

When the Trusted Devices module is active, you can enable the Unrecognized Login email notification to have Solid Security send registered users a notification if there is a login from an unrecognized device.

Settings Export #

The Import Export module sends an email with the settings export file attached.

Magic Links Lockout Bypass #

The Magic Links module sends an email with a Magic Link that bypasses a Site Lockout.

Note: The default email template already includes the login_url tag.

Site Scan Results #

The Site Scan Scheduling module sends an email if it discovers an issue or has repeated difficulty conducting the scan.

The site scan runs four times a day if you use Solid Security, or hourly if you use Solid Security Pro, but notifications are only sent when the site scanner detects a plugin or theme with a known vulnerability that hasn’t been identified in the previous scan, or repeated scan failure is detected.

Passwordless Login #

The Passwordless Login module sends an email with a link to log in automatically.

Note: The default email template already includes the login_url tag as a button.

Two-Factor Email #

The Two-Factor Authentication module sends the Two-Factor Email containing the Two-Factor Authentication Code for users using email as their two-factor provider.

Two-Factor Email Confirmation #

The Two-Factor Authentication module sends the Two-Factor Email Confirmation containing the Authentication Code for users when they are setting up Two-Factor. Try to keep the email similar to the Two-Factor Email.

Note: Disabling this email will disable the Two-Factor Email Confirmation flow.

Two-Factor Reminder Notice #

The User Security Check module allows you to remind users to set up Two-Factor Authentication for their accounts by sending a Two-Factor Reminder Notice email.

Inactive Users #

The User Security Check module sends you a list of users who have not been active in the last 30 days via the Inactive Users email, so you can consider demoting or removing users.

Automatic Updates Info #

The Version Management module will send the Automatic Updates Info email with details about any automatic updates that have been performed.

Old Site Scan #

The Version Management module will send the Old Site Scan email if it detects outdated WordPress sites on your hosting account. A single outdated WordPress site with a vulnerability could allow attackers to compromise all the other sites on the same hosting account.

Which emails should I enable? #

Depending on how your site set up looks like, you may want to stop receiving specific notifications, but keep track of important ones to stay informed without overwhelming your inbox.

In this case, here are the recommended notifications to keep enabled:

• Security Digest: Receive a daily or weekly summary of Site Lockouts, File Change Scans, Vulnerabilities and Privilege Escalation notices, so you’re aware of key security events without getting constant emails.
• Site Lockouts: Get notified if someone is locked out of your site due to too many failed login attempts or security rules.
• Site Scan Results: Stay updated on any vulnerabilities found during scheduled site scans.
• All 2FA Emails: Required if you have Two-Factor Authentication enabled, so users can receive their authentication codes.

On the other hand, the below are optional and can be adjusted based on what you want real-time emails for:

• Database Backup: Enable if you use the built-in database backup feature. If you use a separate backup plugin that send its own alerts, this is not needed.
• File Change: Optional, as Security Digest can be enabled instead. Note that Security Digest only shows a brief message about detected file changes, so you’ll have to look at the Security Logs to see the full list of detected changes.
• Settings Export: Alerts you if someone exports your security settings and is mainly useful for admins managing larger teams.
• Inactive Users: Helpful for sites with multiple users, so you can track and manage stale accounts.
• Automatic Updates Info: Useful if you don’t already get automatic update notifications from your hosting provider, WordPress core, or other plugins. Otherwise this may send duplicate information.

Advanced Settings #

The Advanced settings area in Solid Security provides powerful tools for fine-tuning your WordPress site’s security. 

These settings are listed as “advanced” because in blocking potential avenues for bad actors, they can also block legitimate plugins and themes that rely on the same techniques.

When implementing these advanced settings, users who don’t have a more technical understanding of all of the plugins, theme, and hosting settings should take care to understand how to ensure that these settings are not hindering intended functionality of your site. One tip is to enable each setting one by one, and then check your website to test that everything still works as expected before moving to the next setting. The SolidWP support team is also happy to help give tips and pointers on specific advanced settings that might not be covered in this documentation (which is consistently updated).

This section includes these three key sections: System Tweaks, WordPress Tweaks, Hide Backend. Solid Security Pro users have the additional Feature Flags section.

By customizing the Advanced settings, you can harden your WordPress installation in specific ways that shouldn’t apply to all websites generally. Whether you’re managing a high-traffic site or a personal blog, this area is important if you’re looking to go beyond basic security measures while still maintaining flexibility tailored to your site’s requirements. 

System Tweaks #

System Tweaks lets you configure low-level server-side settings to help block common exploited areas of a WordPress install.

The Protect System Files option prevents public access to readme.html, readme.txt, wp-config.php, install.php, wp-includes, and .htaccess files. There are very few valid reasons those particular files would be publicly accessible, and most hosts automatically prevent public access. This setting essentially doubles up that protection for those files. 

The Disable Directory Browsing feature prevents users from seeing a list of files in a directory when no index file is present. This can also be configured by web host permissions, but is always a good idea to prevent browsing directories directly.

The setting to Disable PHP execution in the Uploads, Plugins, and Themes Directories prevents malicious scripts from being executed in these directories. If a script is somehow uploaded, trying to access them will result in a 403 error. Of course, if a plugin, theme or even software installed by your web host puts executable PHP files into one of those directories (which is not a best practice but definitely does happen) this setting can cause headaches. Test all critical site functionalities after enabling this, and it might be worth doing a cursory check (using a file manager or similar) of those three directories to make sure no single files are hanging out there looking to be executed.

WordPress Tweaks #

The settings in WordPress Tweaks let you fine-tune WordPress functionalities such as disabling XML-RPC or limiting access to the REST API to minimize access to WordPress information.

Remember, some of these settings might conflict with other plugins or themes, so test your site after enabling each setting.

Disable File Editor #

Disables the WordPress built-in file editor for plugins and themes by adding this constant: define( 'DISALLOW_FILE_EDIT', true ); to your wp-config.php file. This prevents editing theme and plugin files directly from the admin dashboard and helps secure your site against unauthorized file modifications in case an admin account is compromised.

Once activated, you will need to manually edit theme and plugin files using FTP client, SSH, or your hosting file manager instead of the WordPress admin interface.

API Access #

The WordPress XML-RPC feature enables remote communication between third party applications and the website. Data is transmitted via XML over HTTP. Common uses for this are pingbacks (where a different site’s link to a particular post is linked back to that other site) or a mobile application that can read/write data to your WordPress site. It’s useful if you’re using it, but a security hole worth patching if you’re not. 

The most common way it’s exploited is what’s called a denial of service attack (DOS) where the bot or bad actor repeatedly hits the XML-RPC endpoint until it overwhelms the server.

There are three options for restricting the feature:

1. Enable XML-RPC = XML-RPC is fully enabled and will function as normal.
2. Disable Pingbacks = Your site will not be susceptible to denial of service attacks via the trackback/pingback feature. Other XML-RPC features will work as normal. You need this if you require features such as Jetpack or the WordPress Mobile app.
3. Disable XML-RPC = XML-RPC will be completely disabled by your web server and is the safest option. This will prevent features such as Jetpack that require XML-RPC from working. 

The Multiple Authentication Attempts per XML-RPC Request feature is another advanced feature that requires a bit of deeper understanding of XML-RPC to know how best to handle it. 

In order to use XML-RPC for doing things that require authentication, each request has to confirm that it has the correct credentials. But by default WordPress’ XML-RPC feature allows hundreds of username and password guesses per request. Disabling this setting (which is the default setting of Solid Security) prevents attackers from exploiting this feature by forcing each request to have a single username-password combination, and if it’s incorrect, the entire request has to start over. 

• Unchecked = Blocks XML-RPC requests that contain multiple login attempts. This setting is highly recommended.
• Checked = Allows XML-RPC requests that contain multiple login attempts. If a third-party service is breaking for any reason that seems related to authentication, this setting is a good place to start troubleshooting. 

The WordPress REST API (REpresentational State Transfer Application Programming Interface) is a powerful feature of WordPress that provides developers with a way to connect to, modify, and configure WordPress programmatically. Before the REST API was in WordPress, there was no standard and predictable way to authenticate and interact with the application (WordPress itself) for third parties. It’s a very powerful system that opens up limitless possibilities to enterprising developers.

Many functions still require authentication, but by default WordPress leaves much information open. Things like usernames, author bios, and other data could potentially be used to form a profile of vulnerabilities on your site.

With Solid Security, you can restrict almost all data (even things that are definitely not sensitive) behind a login. 

• Default Access = Access to REST API data is left as default. Information, including published posts, user details, and media library entries, is available for public access.
• Restricted Access = Restrict access to most REST API data. This means that most requests will require a logged-in user or a user with specific privileges, blocking public requests for potentially private data. We recommend selecting this option.

Users #

By default, WordPress allows users to log in using either an email address or username. The Login with Email Address or Username setting allows you to restrict logins only to accept email addresses or usernames.

Force Unique Nickname

This forces users to choose a unique nickname when updating their profile or creating a new account which prevents bots and attackers from easily harvesting users’ login usernames from the code on author pages.

Note: modifying this does not automatically update existing user accounts in any way. Author URLs (which can be public-facing) are affected by this setting, so Solid Security only applies the restriction to new user accounts (or when a user or admin goes to update an existing user account).

The Disable Extra User Archives setting disables a user’s author page if their post count is 0. This makes it harder for bots to determine usernames by disabling post archives for users who don’t post to your site.

Hide Backend #

The Hide Backend feature allows for hiding the login page (wp-login.php, wp-admin, admin, and login), making it harder to find by automated attacks and making it easier for users unfamiliar with the WordPress platform.

You can enable this setting in Security > Settings > Advanced > Hide Backend

Important: once you change the backend URL, it’s possible to inadvertently lock yourself out if you then can’t remember the URL. If you’ve forgotten your Hide Backend URL, the temporary fix is to add a line of code to your wp-config.php file. 

define('ITSEC_DISABLE_MODULES', true);

Note that this line of code is temporarily deactivating ALL Solid Security features, so be sure once you add it to visit Security -> Settings -> Advanced -> Hide Backend quickly to find your login slug, and either unset that feature (by unchecking the box and saving the settings), or note the slug and remove the code from the wp-config file. 

Either way, you want to either remove or comment out that code as soon as possible. Learn more about editing the wp-config.php file.

URLs #

Login Slug

The login URL slug cannot be “login,” “admin,” “dashboard,” or “wp-login.php” as these are used by default in WordPress. 

Register Slug

The URL/slug you want to use for site registration.

Note: The output is limited to alphanumeric characters, underscore (_), and dash (-). Special characters such as “.” and “/” are not allowed and will be converted in the same manner as a post title. Please review your selection before logging out.

Important note on slug characters: #

When choosing your Login Slug, be sure to use only letters, numbers, hyphens (-) and underscores (_). Avoid characters such as the hash symbol (#) or other URL fragment or query characters. Using a # (hash) creates a URL fragment that is stripped before the request reaches the server, which can cause a 404 Not Found error when accessing the login URL via the custom login slug.

Example: https://example.com/my-login-slug works correctly, but https://example.com/my-login-slug#123abcwill not match and will return a 404.

If you receive a 404 after enabling Hide Backend, double-check your slug for invalid characters and update it accordingly.

Redirection #

Enable Redirection

Instead of displaying a “403” error, you can choose to redirect to any page or post – your 404 page or another page with on-screen instructions for your users.

Redirection Slug

The slug to the page or post redirects the site users when they try to access wp-admin while not logged in.

Advanced #

Custom Login Action

WordPress uses the “action” variable to handle many log in and log out functions. By default, this plugin can handle the normal ones, but some plugins and themes may utilize a custom action (such as logging out of a private post). If you need a custom action please enter it here.

Sidenote: Why even have the Hide Backend feature? #

The idea behind hiding the wp-admin is that hackers can’t hack what they can’t find. If your login URL isn’t the standard WordPress /wp-admin/ URL, aren’t you protected from brute-force attacks?

The truth is that most Hide Backend features are simply security through obscurity, which isn’t a bulletproof security strategy. It’s not a bad practice, it’s just not “load bearing” in terms of strategy. By all means use it, just don’t trust it alone. In fact, often times the benefit of hiding the backend is more for users to feel safe than it is to actually be more safe.

While hiding your backend wp-admin URL can help mitigate some of the attacks on your login, it necessarily won’t stop all of them, because there are other ways to log into your WordPress sites besides using a browser, like using XML-RPC or the REST API. 

In fact, the Hide Backend feature doesn’t really change anything. Yes, it does prevent users from directly accessing the default login URL. But after someone enters the custom login URL, they are redirected back to the default WordPress login URL. It’s another (small) hurdle toward getting logged in.

The truth is that you can’t completely (or truly) hide the backend login page of your WordPress website.

Feature Flags #

The Feature Flags settings in Solid Security Pro allow you to try experimental features before they are released. 

How to Enable Feature Flags in the Solid Security Menu #

To enable an experimental feature, navigate to the Advanced page in the Solid Security Pro settings and click the Feature Flags dropdown. Then, check the box next to the feature you want to enable.

#

How to disable Feature Flags manually #

To disable the Feature Flag menu manually, you add the code below to your site’s wp-config.php file above the “That’s all, stop editing! Happy publishing!” line. 

define( 'ITSEC_SHOW_FEATURE_FLAGS', false );

Learn more about editing the wp-config.php file