WordPress websites face constant security threats, making robust protection essential for site owners, developers, and agencies managing multiple client sites. The Solid Security plugin offers comprehensive protection against hackers, malware, and brute force attacks, but proper setup and configuration make all the difference between basic protection and bulletproof security.
This guide walks you through transforming your WordPress site into a security fortress using proven Solid Security strategies. You’ll discover how to set up advanced login protection that stops attackers in their tracks, configure database security optimization to protect your most valuable data, and implement firewall rules that block threats before they reach your site. Each section includes step-by-step instructions and real-world tips from security experts who’ve protected thousands of WordPress installations.
Essential Solid Security Plugin Setup and Configuration
Download and Install from WordPress Repository
Getting solid security protection for your WordPress site starts with the right installation. Head to your WordPress admin dashboard and navigate to Plugins > Add New. Search for “Solid Security” in the plugin repository – you’ll find it listed under its previous name “iThemes Security” since the rebrand happened recently.
Click the “Install Now” button and wait for the download to complete. The plugin weighs in at around 3MB, so installation should be quick on most hosting environments. Once installed, hit “Activate” to enable the plugin on your site.
| Installation Method | Time Required | Difficulty Level |
|---|---|---|
| WordPress Dashboard | 2-3 minutes | Beginner |
| FTP Upload | 5-7 minutes | Intermediate |
| WP-CLI | 1 minute | Advanced |
For sites with restricted plugin installation capabilities, you can download the zip file directly from WordPress.org and upload it via FTP to your /wp-content/plugins/ directory.
Complete Initial Security Wizard Setup
After activation, Solid Security launches its setup wizard automatically. This guided process walks you through the most important security configurations without overwhelming technical details. The wizard covers five main areas that form your security foundation.
The first step asks about your site type – blog, business site, or e-commerce. Your selection determines the security level recommendations. E-commerce sites get stricter settings since they handle sensitive customer data.
Next, you’ll configure administrator access. The wizard suggests creating a new admin username if you’re still using “admin” – a common target for brute force attacks. Pick something unique and unrelated to your business name.
The backup configuration step connects with popular backup plugins or services. Even though Solid Security isn’t primarily a backup solution, having this integration ensures your security changes don’t interfere with existing backup schedules.
Database security comes next, where the wizard offers to change your database table prefix from the default “wp_”. This simple change makes automated attacks harder since most target the standard prefix.
Finally, the wizard sets up basic file permissions and creates essential security files like .htaccess rules for Apache servers.
Configure Core Security Settings for Maximum Protection
The Settings dashboard gives you granular control over Solid Security’s protection mechanisms. Start with the Global Settings tab to establish your security baseline across all modules.
Lockout Settings deserve immediate attention. Set the lockout period to 15 minutes for the first offense, escalating to 60 minutes for repeat attempts from the same IP. This balance prevents legitimate users from getting permanently locked out while deterring attackers.
Email Notifications should go to a dedicated security email address, not your main business email. Create something like security@yourdomain.com to keep security alerts organized and ensure they don’t get buried in regular correspondence.
Geolocation Blocking works well if your site serves a specific geographic region. Block countries where you don’t expect legitimate traffic, but be careful with this feature if you have international users or team members.
The Strong Password Enforcement setting applies to all user roles. Enable this for authors and above but consider the user experience impact for subscribers who might struggle with complex password requirements.
Two-Factor Authentication integration with apps like Google Authenticator or Authy adds an extra security layer. Enable this for administrators immediately and encourage other users to adopt it voluntarily.
Activate Critical Security Modules
Solid Security organizes its features into modules that you can enable or disable based on your needs. Some modules are essential for every WordPress site, while others depend on your specific requirements.
Brute Force Protection should be your first activated module. It monitors login attempts and blocks IPs that show suspicious patterns. The default settings work well for most sites – 5 failed attempts trigger a 15-minute lockout.
File Change Detection monitors your WordPress core files, active theme, and plugins for unauthorized modifications. Enable email alerts for this module since file changes often indicate compromise attempts or successful attacks.
404 Detection catches attempts to access non-existent files, often used in reconnaissance attacks. Set it to trigger after 20 attempts in 5 minutes – this catches scanning tools without false positives from legitimate users who might mistype URLs.
Strong Password Enforcement works at the WordPress level, requiring complex passwords for new accounts and password changes. This module integrates with user registration forms and profile updates.
SSL Enforcement redirects all HTTP traffic to HTTPS if you have an SSL certificate installed. This module also sets the secure flag on cookies and updates internal links to use HTTPS.
The Malware Scanning module performs daily scans of your WordPress installation, comparing file checksums against known good versions. While not as comprehensive as dedicated security services, it catches common malware infections and file corruptions.
Database Backups creates automatic backups before major security updates. Store these backups outside your web root directory for maximum protection against server compromises.
Advanced Login Protection and User Security
Enable Two-Factor Authentication for All Users
Two-factor authentication (2FA) acts as your website’s security bouncer, making sure only authorized users get past the front door. When you activate 2FA through Solid Security, you’re adding a second layer of protection that hackers can’t easily bypass, even if they crack someone’s password.
Setting up 2FA starts in your WordPress dashboard under the Solid Security settings. Navigate to the User Security section and enable the two-factor authentication feature. The plugin supports multiple authentication methods including time-based one-time passwords (TOTP) through apps like Google Authenticator or Authy, email-based codes, and backup recovery codes.
For website administrators, enforcing 2FA across all user roles becomes crucial. Configure the plugin to require 2FA for administrators first, then extend it to editors and other user levels based on your site’s needs. Users will receive setup instructions via email, guiding them through the authentication app installation process.
The backup recovery codes feature deserves special attention. Generate and securely store these codes for each user account, as they provide access when primary authentication methods fail. Store these codes in a password manager or secure physical location.
Monitor 2FA adoption rates through the plugin’s user security dashboard. Some users might resist the change, so provide clear documentation and support during the transition period. The short-term inconvenience pays massive dividends in long-term security.
Set Up Strong Password Enforcement Policies
Password strength policies transform weak login credentials into fortress-level protection. Solid Security’s password enforcement features help you establish and maintain robust password standards across your entire WordPress installation.
Configure minimum password requirements including length, character complexity, and forbidden patterns. Set passwords to require at least 12 characters with a mix of uppercase letters, lowercase letters, numbers, and special characters. The plugin can block common password patterns like “123456” or “password” that appear on breached password lists.
Password aging policies force regular updates while preventing password reuse. Set passwords to expire every 90 days for regular users and every 60 days for administrators. The plugin maintains a history of previously used passwords, preventing users from recycling old credentials.
Dictionary attack protection blocks passwords that contain common words or phrases. Upload custom wordlists relevant to your industry or organization to prevent domain-specific weak passwords. This feature proves especially valuable for businesses where employees might use company names or industry terms in their passwords.
| Password Policy Setting | Recommended Value | Security Impact |
|---|---|---|
| Minimum Length | 12 characters | High |
| Character Complexity | Mixed case + numbers + symbols | High |
| Password History | 12 previous passwords | Medium |
| Expiration Period | 90 days (users), 60 days (admins) | Medium |
| Dictionary Protection | Enabled with custom wordlists | High |
Real-time password strength feedback helps users create compliant passwords during registration or password resets. The visual strength meter guides users toward better password choices without frustrating them with cryptic error messages.
Configure Login Attempt Limits and Lockout Rules
Login attempt limits create an intelligent defense system that adapts to attack patterns while maintaining usability for legitimate users. Solid Security’s lockout features protect against brute force attacks without creating barriers for authorized access.
Start with conservative lockout thresholds: lock accounts after five failed attempts within a 15-minute window. This balance prevents most automated attacks while accommodating users who mistype passwords occasionally. Adjust these numbers based on your user base’s behavior patterns and security requirements.
Progressive lockout durations increase security effectiveness. Configure initial lockouts for 15 minutes, extending to one hour after repeated violations, and escalating to 24 hours for persistent attacks. This graduated approach frustrates attackers while minimizing impact on legitimate users who experience temporary access issues.
IP-based blocking complements user-based lockouts by tracking attack sources. Enable automatic IP blocking after multiple failed attempts from the same address, even across different usernames. Whitelist trusted IP ranges for administrators and key users to prevent accidental self-lockouts.
The plugin’s intelligent detection capabilities distinguish between human users and automated attacks. Configure stricter rules for rapid-fire login attempts that indicate bot activity, while applying more lenient policies to slower, human-paced login failures.
Customize lockout notifications to inform users about security measures without revealing system details to potential attackers. Send email alerts to locked users with clear instructions for regaining access, including contact information for manual unlock requests.
Geographic restrictions add another security layer by blocking login attempts from unexpected locations. Enable country-based blocking if your user base operates within specific regions, but provide override mechanisms for legitimate travelers or remote workers.
File System Security and Malware Protection
Activate Real-Time File Change Monitoring
Real-time file monitoring acts like a security guard for your WordPress site, watching every file 24/7 and alerting you when something changes unexpectedly. Solid Security’s file change detection catches unauthorized modifications instantly, giving you the power to respond before hackers can establish a foothold.
Navigate to Security > Settings > File Change in your WordPress admin panel. Enable the File Change Detection feature and select which file types to monitor. Focus on critical files like .php, .js, and configuration files while excluding temporary files and uploads that change frequently.
Configure the monitoring frequency based on your site’s activity level. High-traffic sites benefit from checking every few hours, while smaller sites can monitor daily. Set up exclusion rules for legitimate plugins that modify files regularly, preventing false alarms that could overwhelm your inbox.
The plugin creates checksums for monitored files, comparing them against previous versions. When changes occur, you’ll receive detailed reports showing exactly what was modified, when, and which files were affected. This granular visibility helps distinguish between legitimate updates and malicious tampering.
Configure Automated Malware Scanning Schedules
Automated scanning removes the guesswork from malware detection by running comprehensive security checks on your predetermined schedule. Solid Security’s malware scanner examines your entire WordPress installation, comparing files against known threat databases and identifying suspicious code patterns.
Set up daily scans for active sites or weekly scans for static websites. Access Security > Settings > Malware Scanning and choose your preferred scanning frequency. The plugin offers multiple scanning modes: quick scans for recent changes and deep scans for thorough system analysis.
Configure scan parameters to balance thoroughness with performance. Enable database scanning to detect malicious injections in posts, comments, and user data. Include theme and plugin directories, as these locations often harbor backdoors and infected files.
Create scanning profiles for different scenarios. Use intensive scans during maintenance windows and lighter scans during peak traffic hours. The plugin can automatically quarantine suspicious files and generate detailed reports showing scan results, threat classifications, and recommended actions.
Set Up File Integrity Monitoring Alerts
File integrity monitoring transforms your WordPress site into a fortress that immediately reports any breach attempts. This feature goes beyond basic change detection by analyzing the nature and severity of file modifications, helping you prioritize security responses.
Configure alert sensitivity levels in Security > Notifications > File Changes. Set high-priority alerts for core WordPress files, theme files, and plugin modifications. Medium alerts work well for configuration file changes, while low alerts can monitor less critical directories.
Customize notification channels to ensure critical alerts reach you immediately. Enable email notifications for urgent threats, SMS alerts for core file changes, and dashboard notifications for routine modifications. Create different alert profiles for various team members based on their security responsibilities.
The monitoring system tracks file hashes, timestamps, and permission changes. When alterations occur, alerts include specific details like modified line numbers, changed content, and potential security implications. This information helps you quickly assess whether changes are legitimate updates or security threats.
Enable Core File Protection Features
Core file protection creates an impenetrable shield around WordPress’s essential files, preventing unauthorized modifications that could compromise your entire site. Solid Security’s core protection features lock down critical system files while maintaining compatibility with legitimate updates.
Activate Core File Monitoring in Security > Settings > File System. This feature prevents modifications to wp-config.php, .htaccess, and core WordPress files. The plugin maintains a database of original file signatures, instantly detecting and blocking unauthorized changes.
Enable System File Protection to prevent execution of potentially dangerous files. This feature restricts access to backup files, configuration files, and other sensitive documents that shouldn’t be publicly accessible. Configure rules to block direct access to PHP files in uploads directories and prevent execution of scripts in temporary folders.
Set up File Permission Hardening to enforce proper security permissions across your WordPress installation. The plugin automatically corrects insecure file permissions and prevents privilege escalation attacks. Configure automatic permission fixes for directories (755) and files (644) while maintaining functionality for legitimate operations.
| Protection Feature | Security Level | Performance Impact | Recommended For |
|---|---|---|---|
| Real-time monitoring | High | Low | All sites |
| Automated scanning | Medium | Medium | Active sites |
| Integrity alerts | High | Minimal | Business sites |
| Core protection | Maximum | Low | All installations |
Database Security Optimization
Change Default Database Table Prefixes
Your WordPress database comes with a default table prefix “wp_”, which hackers know by heart. Changing this prefix is like switching your house address – it makes your database much harder to find and target. Solid security makes this process straightforward, but timing matters.
You can change the prefix during initial setup or later, though doing it after your site is established requires more caution. The plugin handles the technical heavy lifting, automatically updating all references throughout your database. Pick something unique but memorable – avoid obvious choices like “secure_” or “safe_”. A combination of random letters and numbers works best.
Before making changes:
| Preparation Step | Why It Matters |
|---|---|
| Full site backup | Recovery option if issues arise |
| Plugin/theme compatibility check | Some may hardcode the prefix |
| Staging environment test | Verify everything works properly |
The process involves updating not just table names but also WordPress options and user metadata that reference the old prefix. Solid security handles these updates automatically, but always verify your site functions normally afterward.
Enable Database Backup Encryption
Database backups contain your entire website’s sensitive information – user passwords, email addresses, private content, and configuration details. Without encryption, these backups become treasure troves for attackers who gain access to your hosting account or backup storage.
Solid security provides robust encryption options that scramble your backup files using industry-standard algorithms. Even if someone steals your backup files, they’ll find useless encrypted data instead of readable information. The plugin supports multiple encryption methods, with AES-256 being the gold standard.
Set up automated encrypted backups that run during low-traffic periods. Store these backups in multiple locations – your hosting server, cloud storage, and local copies. The encryption keys should be stored separately from the backups themselves. Write down your encryption passwords and keep them in a secure location away from your computer.
Encryption best practices:
- Use complex, unique passwords for backup encryption
- Test backup restoration regularly with encrypted files
- Keep encryption keys in multiple secure locations
- Schedule backups during off-peak hours to minimize performance impact
Configure Database Access Restrictions
Your database should be Fort Knox – accessible only to authorized users and applications. Most WordPress installations leave database access wide open, allowing connections from anywhere. This creates unnecessary security holes that attackers can exploit.
Solid security helps you implement strict database access controls. Start by restricting database connections to specific IP addresses – typically your web server and your own administrative access points. Block all other connection attempts at the database level.
Create separate database users with minimal permissions for different functions. Your WordPress installation needs one set of permissions, backup processes need another, and administrative access requires different rights. Never use the root database user for WordPress operations.
Database user permission matrix:
| User Type | SELECT | INSERT | UPDATE | DELETE | CREATE | DROP |
|---|---|---|---|---|---|---|
| WordPress App | ✓ | ✓ | ✓ | ✓ | Limited | Limited |
| Backup User | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Admin User | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Monitor database connection logs regularly. Unusual connection patterns failed login attempts from unknown IP addresses, or connections during off-hours can signal potential security threats. Set up alerts through Solid security to notify you immediately when suspicious database activity occurs.
Change default database ports if your hosting environment allows it. Most attacks target the standard MySQL port 3306. Using a custom port adds another layer of obscurity that makes automated attacks less likely to succeed.
Advanced Firewall Configuration and Attack Prevention
Configure Web Application Firewall Rules
Solid Security’s Web Application Firewall (WAF) acts as your website’s first line of defense against malicious requests. Setting up custom firewall rules requires understanding your site’s traffic patterns and potential threats. Start by navigating to the “Firewall” section within Solid Security and enable the basic protection mode.
The plugin offers three protection levels: Basic, Intermediate, and Advanced. Basic mode blocks common attacks like SQL injection and cross-site scripting (XSS), while Advanced mode provides granular control over specific attack vectors. Create custom rules by defining request patterns, file extensions, and user agents that should be blocked or allowed.
For e-commerce sites, configure rules to protect checkout pages and payment forms. Add specific protection for wp-admin directories, login pages, and sensitive files like wp-config.php. Monitor the firewall logs regularly to identify false positives and adjust rules accordingly.
Set Up IP Blacklisting and Whitelisting
IP management forms the backbone of effective access control. Solid Security provides robust tools for creating both blacklists and whitelists based on your security needs. Access the IP Management section to configure these settings.
Blacklisting works by blocking specific IP addresses or ranges that have shown malicious behavior. Add IPs that repeatedly attempt unauthorized access, send spam, or trigger security alerts. Use CIDR notation for blocking entire IP ranges when dealing with coordinated attacks from specific networks.
Whitelisting takes the opposite approach by only allowing access from trusted IP addresses. This method works best for administrative access or client-specific areas. Create whitelist entries for your office IP, trusted developers, and regular contributors. Always maintain an updated whitelist to prevent legitimate users from being locked out.
| IP Management Type | Best Use Case | Security Level |
|---|---|---|
| Blacklist | Blocking known threats | Medium |
| Whitelist | Admin/VIP access | High |
| Temporary blocks | Brute force mitigation | Variable |
Enable Country-Based Access Blocking
Geographic blocking helps reduce spam, malicious traffic, and compliance issues by restricting access based on visitor location. Solid Security integrates with GeoIP databases to provide accurate country-level blocking.
Access the Country Blocking feature and select countries that frequently generate unwanted traffic to your site. Many WordPress sites benefit from blocking countries known for hosting malicious servers or where your business doesn’t operate. Be cautious when blocking large countries, as this might affect legitimate visitors or search engine crawlers.
Consider your website’s purpose before implementing geographic restrictions. E-commerce sites with global shipping should avoid aggressive country blocking, while local business websites might benefit from restricting access to their primary market regions. Monitor your analytics after implementing country blocks to ensure you’re not losing valuable traffic.
Activate Brute Force Attack Protection
Brute force attacks target login pages by attempting multiple username and password combinations. Solid Security’s brute force protection monitors login attempts and automatically blocks suspicious activity.
Configure the maximum number of failed login attempts before triggering a lockout. Set this between 3-5 attempts for high-security environments or 5-10 attempts for sites with many legitimate users. Adjust the lockout duration based on your security needs – shorter durations for user convenience, longer periods for maximum protection.
Enable email notifications for brute force attempts to stay informed about attack patterns. The plugin can distinguish between manual attacks and automated bot attempts, applying different rules for each scenario. Consider implementing CAPTCHA verification after a certain number of failed attempts to add an extra security layer.
Configure Bot Detection and Blocking
Malicious bots consume server resources, scrape content, and attempt security breaches. Solid Security includes sophisticated bot detection algorithms that analyze visitor behavior patterns, request frequencies, and user agent strings.
Enable the bot blocking feature and configure detection sensitivity levels. High sensitivity catches more bots but may occasionally block legitimate crawlers. Medium sensitivity provides balanced protection suitable for most websites. Whitelist known good bots like Google, Bing, and other search engines to maintain SEO performance.
The plugin identifies bad bots through various signals: rapid page requests, suspicious user agents, automated behavior patterns, and requests to sensitive areas. Create custom bot rules for industry-specific threats or unique attack patterns targeting your site. Regular monitoring of bot logs helps refine detection rules and reduce false positives while maintaining strong protection against automated threats.
Solid Security Pro Pricing
Solid Security Pro offers a tiered pricing structure based on the number of sites you want to secure. The plans generally include all the professional features, with the main difference being the number of sites covered.
Here is a general breakdown of the pricing structure for Solid Security Pro:
| Plan | Number of Sites | Annual Price (Approximate) | Key Features |
| Basic | 1 | $99 | All Pro Features, Private, ticketed email support, Plugin updates |
| Plus | 5 | $199 | All Pro Features, Private, ticketed email support, Plugin updates |
| Agency | 10 | $299 | All Pro Features, Private, ticketed email support, Plugin updates |
It’s also important to note that SolidWP (the company behind Solid Security) offers a “Solid Suite” package that includes Solid Security Pro, Solid Backups, and Solid Central for a discounted rate, starting at approximately $199 per year.
Conclusion
By implementing the explosive tips in this guide, you’ve gone from simply having a website to fortifying a digital fortress. Solid Security Pro provides the powerful tools to automate and streamline this process, allowing you to focus on what you do best. Don’t leave your website’s security to chance—take control and ensure your online presence is not just good, but bulletproof.
