Understanding Trusted Devices in Solid Security

The Trusted Devices module provides an additional layer of security against Stolen Session Cookie attacks, a common threat in WordPress websites.

This provides you with a method to get notified of an unrecognized device attempting access, which you can confirm via email or from the admin bar. 

Key features include optional email notifications for unrecognized logins, restricting capabilities on unrecognized devices, protection against session hijacking, and seamless integration with two-factor authentication to remember trusted devices.

Settings #

When Trusted Devices is ON, you’ll see two settings that can be turned on/off: 

• Restrict Capabilities — This lets you restrict a user’s administrator-level capabilities and prevent them from editing their login details, when they are logged in on an unrecognized device.
  • Note: This requires the “Unrecognized Login” email notification to be enabled within the Solid Security Notifications.
• Session Hijacking Protection — Session hijacking, sometimes called Cookie hijacking, is a strategy used by hackers to take control of your account while you are using it, effectively becoming the owner. Enabling this setting can prevent session hijacking by ensuring that a user’s device does not change during a session.
  • If a user’s device changes during a session, Solid Security will automatically log the user out to prevent any unauthorized activity on the user’s account, such as changing the user’s email address or uploading malicious plugins. You can find more information about Session Hijacking here. 

Trusted Devices in User Groups #

After enabling the Trusted Devices module, you’ll want to make sure that in your Solid Security User Groups settings, the “Enable Trusted Devices” toggle is ON for the user group you want it enforced:

How does the Trusted Devices feature work? #

After enabling the Trusted Devices module, administrators will see a Login Alerts tab in the WordPress admin bar with pending unrecognized devices.

When you’re logged-in on an unrecognized device and Restrict Capabilities is enabled, you will see a prompt from Solid Security informing you that you’re currently in Unrecognized Login Mode.

You can either confirm the device or choose to continue the session with limited access:

Depending on the environment, Solid Security can also inform you via the Login Alerts tab:

Clicking either the “Send confirmation email” button or “confirm this device” link will trigger an Unrecognized Login email notification with a button to approve/disapprove a device.

 Note: You’ll need to log in again after confirming a device.

Optional Email Notification #

In addition to the WordPress admin login notice, an Unrecognized Login email notification (optional but recommended) can also alert you whenever an unrecognized device has been used to log in.

To receive this email notification, first, you’ll need to enable the “Restrict Capabilities” Trusted Devices setting.

Then, go to Security > Notifications > Unrecognized Login and enable it.

WordPress User Profile with Trusted Devices Info #

You can manage your trusted devices via the WordPress User Profile page.  

If a device is marked as “Pending”, you can update it to either “Approved” or “Denied”. But once a device is approved/denied, the status cannot be changed. Solid Security can also auto-approve a device if it recognizes it as similar enough to an existing trusted device.

Administrators can see the Trusted Devices of the site users and approve/deny a device. This is helpful when you, an admin, cannot fully-access the site due to the Trusted Devices module kicking in and cannot confirm the Unrecognized Login email for some reason, so another admin can approve the device for you.

Note: Users are recommended to approve or deny devices via the Unrecognized Login email notification. The Trusted Devices list in the Profile page is intended as a support tool for site administrators if a user locks themselves out accidentally. 

Integration with Two-Factor Authentication #

Trusted Devices powers Solid Security’s “Remember Me” setting in Two-Factor Authentication. If the device doesn’t look the same, users are forced to re-enter their Two-Factor code instead of bypassing it.

To have the “Remember Me” option during log in, you’ll need to enable the “Allow Remembering Device” option in Security > Settings > User Groups.

Note: While remembering devices is convenient, it is more secure to require users to enter a new Two-Factor token each time they log in. 

Geolocation #

Enabling Geolocation in Utilities further enhances the Trusted Devices module by providing insights into the geographical location of users accessing the site.

Solid Security uses external geolocation services to match IP addresses with physical locations:

• MaxMind GeoLite2 – downloads the latest IP-to-location database from
  download.maxmind.com (updated once per week via WordPress cron).
• Mapbox – provides map images for displaying device locations, accessed through
  api.mapbox.com.

Location #

Solid Security Pro utilizes the MaxMind‘s free database: MaxMind GeoLite2 to geolocate IP addresses, which compares IPs without connecting to an external API.

However, if you want increased accuracy, it is recommended to connect to MaxMind APIs with the MaxMind GeoIP2 Precision: City service.

Configuring MaxMind Geolite 2 #

1) Sign up at MaxMind for your free account.

2) Accept the terms of service, and click Continue.

3) Once you have signed up, you will see an on-screen confirmation.

4) Check your email for the confirmation, and click to set your password and log in.

5) Create your secure password.

6) Login to your account. On the left-hand side of the screen, click Manage License Keys and click the Generate new license key button.

7) Name your key, select No, and then click Confirm.

8) Copy your license key and paste it into a safe place.

9) Return to your site, and go to the Geolocation settings. Paste your key, and click Download DB.

10) Save your settings – and that’s it!

If you prefer to sign up for the Maxmind GeoIP2 Precision City Service, you can use that API instead of the MaxMind Geolite 2 key. That is a paid service, and for most users, the $25 option is sufficient.

How often are the GeoIP2 and GeoLite2 databases updated? #

• The GeoIP2 Anonymous IP database is updated daily.
• The GeoIP2 Country, City, ISP, Connection Type, and Enterprise databases are updated weekly, every Tuesday.
• The GeoIP2 Domain Name database is updated monthly on the first Tuesday of each month.
• The GeoLite2 Country, City, and ASN databases are updated weekly, every Tuesday.

You can find more information and support for the MaxMind services here. 

Mapping #

This lets you hook into Mapbox or MapQuest mapping services for visually representing the login locations of unrecognized logins, giving you a clear understanding of login activities.

You will need to obtain either a Mapbox API Key or a MapQuest API (Consumer) Key to use this option.

Is there an IP address I can allowlist for Geolocation? #

Both MaxMind GeoLite2 and Mapbox services run on cloud and CDN networks (like AWS), so their IP addresses change regularly. Because of that, Solid Security connects to hostnames, not fixed IPs.

Best Practices:

If you use a firewall or server with restricted outbound traffic:

• Allow outbound HTTPS (port 443) to download.maxmind.com and api.mapbox.com.
• Check your firewall logs for those hostnames to confirm legitimate connections.

This ensures Solid Security can keep its location data up to date and display trusted device maps correctly.

Does Solid Security provide features for GeoIP banning? #

Solid Security does not offer Geo IP banning. See below for more information.

The Misconceptions of GeoIP Banning #

GeoIP-based country blocking is often assumed to be an effective security control. In practice, its protection value is limited, and it can create unintended usability and performance issues. The following points explain why.

1. Blocking a country does not block that country’s attackers.

GeoIP blocking is based on the idea that attackers primarily operate from specific countries, so blocking those countries reduces attacks.

In reality, attackers use global networks of compromised systems, proxies, VPNs, and cloud services to disguise their origin. A single attacker can launch requests from hundreds of different countries simultaneously.

Blocking certain countries may stop some low-effort scans, but it won’t prevent targeted or automated attacks. Most malicious traffic comes from globally-distributed infrastructure, not from an attacker’s physical location.

2. Allowing only one country still leaves a large attack surface

It was once estimated that nearly half of all tracked IP addresses were based in the United States. While the exact figures have changed with the growth of IPv6 and shared carrier networks, the point remains: allowing only one country still exposes a large percentage of global IP space.

Even if you limit access to a certain country, attackers can easily route traffic through other methods (e.g., VPNs, data centers, or CDNs), so GeoIP restrictions only remove a fraction of possible attack areas.

3. GeoIP blocking provides less protection than stronger authentication

Making your password stronger, or better yet enabling two-factor authentication (2FA) or passkeys would increase your login security far more than blocking countries ever could.

GeoIP blocking may slow down a brute-force attacker, but improving password strength or using modern authentication methods multiplies the effort required for the attackers to succeed.

Adding features like rate limiting, CAPTCHAs, or temporary lockouts after multiple failed attempts are also far more effective with fewer side effects.

4. Limiting access by states or cities is unreliable

Geolocation accuracy decreases significantly below the country level.

MaxMind, the source used by many security tools, reports country-level accuracy near 99%, but city accuracy can drop below 80%, and even lower for mobile users and IPv6 connections.

This means legitimate users may be accidentally blocked based on where their connection appears to originate. Mobile carriers frequently route traffic through regional gateways hundreds of miles away, further reducing accuracy often leading to false lockouts for site owners or travelers.

5. Adding GeoIP Banning lookup increase server workload

Every GeoIP lookup adds a small amount of processing overhead. On a modern server, this is minimal under normal conditions, but during heavy login attacks, it can add up and cause an overload.

Offloading geographic filtering to a WAF (Web Application Firewall) or CDN can mitigate this overhead. Still, the security benefit with proper authentication and rate limiting is more effective.

A system under brute-force load should fail fast with authentication controls, not spend resources performing unnecessary lookups.

Best Practices:

Use these modern practices which offer more reliable protections than GeoIP blocking:

• Make your user authentication stronger: use strong, unique passwords, passkeys, and 2FA.
• Apply rate limits and lockouts on login endpoints.
• Use GeoIP as a complementary signal alerting you of suspicious events and trigger extra verification if a login originates from an unusual country.
• If absolutely necessary, restrict geography only at the network edge (WAF/CDN) and monitor for false positives.