What the Solid Security Plugin Does for WordPress
If you want to secure a WordPress site without piecing together multiple security tools, Solid Security is a practical starting point.
This guide shows how to set up Solid Security plugin settings that reduce common attack surfaces while keeping your workflow manageable.
Solid Security, formerly iThemes Security, helps protect WordPress installations with features such as two-factor authentication, brute-force protection, file change detection, strong password enforcement, and security logging.
It is built for site owners who want a guided setup with meaningful defaults and room for deeper hardening.
Before You Install Solid Security
Before you begin, make sure you have administrator access to the WordPress dashboard and a recent backup of your site.
Security plugins can change login behavior, so a backup gives you a safe rollback point if anything conflicts with your theme, caching layer, or other plugins.
- Confirm your WordPress core, themes, and plugins are updated.
- Check that you can access your site’s email address for alerts and recovery.
- Review any existing security plugins to avoid overlapping features.
- Have a recovery method ready, such as hosting access or a backup restore process.
How to Install Solid Security
From your WordPress dashboard, go to Plugins and select Add New.
Search for Solid Security, install the plugin, and activate it.
After activation, the plugin typically opens a guided onboarding flow that helps you configure key protections in a logical order.
If the plugin prompts you to connect to a Solid Central account, you can usually continue with local security features first.
The cloud connection is useful for centralized monitoring and managing multiple sites, but it is not the only way to benefit from the plugin.
How to Set Up Solid Security Plugin Settings Step by Step
The exact screens may vary by version, but the setup usually follows the same pattern: identify your site type, choose baseline protections, and enable stronger login controls.
The goal is to harden the site without locking out legitimate users.
1. Run the site scan or security check
Start with the built-in site scan or security check if available.
This identifies common issues such as weak passwords, outdated software, vulnerable file permissions, or missing login protections.
Use the results to prioritize fixes.
For example, a missing backup strategy or exposed admin login is more urgent than optional cosmetic settings.
2. Set up two-factor authentication
Two-factor authentication is one of the most valuable protections in Solid Security.
Enable it for all administrator accounts and, where appropriate, for editors or shop managers who can change site content or access sensitive data.
- Use an authenticator app rather than SMS when possible.
- Store backup codes in a secure password manager.
- Test login before rolling it out to all users.
This single step can significantly reduce account takeover attempts, especially against brute-force attacks and credential stuffing.
3. Configure brute-force protection
Brute-force protection limits repeated failed login attempts from the same IP address or user pattern.
Enable this feature early, because WordPress login pages are common targets for automated bots.
Choose settings that block repeated failures without being overly aggressive.
If your team uses shared offices, VPNs, or dynamic IP addresses, overly strict bans can create friction.
In those cases, shorter lockouts with email alerts are often a better balance.
4. Strengthen password and user policy rules
Use Solid Security’s password enforcement features to require strong passwords for administrators and other privileged accounts.
If the plugin offers password expiration or password strength rules, apply them selectively so you improve security without causing unnecessary password fatigue.
Good policy choices include:
- Require strong passwords for administrator and editor roles.
- Prevent weak usernames like “admin” when possible.
- Remove unused accounts instead of leaving them dormant.
- Review user roles regularly to ensure least privilege.
5. Hide or change sensitive login paths
Depending on your version and site setup, you may be able to change or obscure common login-related URLs.
This is not a replacement for authentication security, but it does reduce exposure to automated scanning and simple bot traffic.
Use this feature carefully if you rely on plugins, custom login forms, or membership tools.
After any change, verify that you can still access wp-login.php, your custom login page, and password reset flow as expected.
6. Enable file change detection
File change detection helps you spot unexpected modifications to WordPress core files, themes, or plugins.
This is especially useful after updates, because you can distinguish normal changes from suspicious edits.
To get useful alerts, avoid monitoring noise-heavy directories if the plugin allows exclusions.
Cache folders, upload directories, and some backup locations can create excessive notifications and hide important events.
Recommended Solid Security Hardening Settings
After the basics are in place, use the plugin’s hardening options to reduce unnecessary exposure.
These settings are generally low-risk and make a meaningful difference on most WordPress sites.
Turn on security logging and alerts
Security logs help you see failed logins, file edits, ban events, and configuration changes.
Email alerts are useful when they are reserved for high-value events such as administrator lockouts, new file changes, or suspicious login attempts.
- Send alerts to a monitored business email address.
- Avoid alerting on every minor event or you may create alert fatigue.
- Review logs weekly to spot patterns and repeated sources of abuse.
Limit login attempts and session access
Limit login attempts to protect the login form from abuse.
If the plugin supports session handling or idle logout, use it for sites with multiple administrators or public-facing user dashboards.
Shorter sessions reduce the chance that a stolen device or unattended browser remains active too long.
Disable features you do not need
WordPress sites often become more vulnerable when unnecessary functions are exposed.
If your site does not need XML-RPC, comment posting, file editing from the dashboard, or unused API endpoints, disable them where appropriate.
Be cautious: some features are required by Jetpack, mobile apps, or external publishing tools.
Always check dependencies before turning off a core WordPress capability.
How to Tune Solid Security for Different Site Types
The best setup depends on what your site does.
A blog, an agency site, and an online store do not need identical security controls.
- Small business sites: prioritize 2FA, login protection, backups, and alerts.
- WooCommerce stores: focus on privileged accounts, checkout reliability, and minimal login friction for customers.
- Membership sites: balance brute-force protection with user experience and custom login integrations.
- Agency or multisite environments: standardize policies, logging, and recovery procedures across all sites.
Common Setup Mistakes to Avoid
Most WordPress security problems come from overconfidence or misconfiguration rather than the plugin itself.
Avoid these common mistakes when you set up Solid Security plugin protections.
- Enabling every feature at once without testing user access.
- Using the same weak administrator password across multiple sites.
- Ignoring email deliverability, which prevents alerts and recovery messages from arriving.
- Forgetting to whitelist trusted IPs for managed teams or developers.
- Assuming the plugin replaces updates, backups, or secure hosting.
How to Verify Your Setup Is Working
Once the core settings are enabled, test your configuration from a normal user perspective and an administrator perspective.
Try a failed login, confirm an alert is sent, verify two-factor authentication works, and ensure file change notifications are arriving when expected.
Also confirm that background tasks, forms, and any connected services still function normally.
A solid security configuration should protect the site without interrupting publishing, payments, or customer logins.
Best Practices for Ongoing Security Maintenance
Security is not a one-time task.
Review your Solid Security dashboard after major WordPress updates, plugin changes, or team access changes.
If a staff member leaves, remove their account immediately and rotate shared credentials where necessary.
- Update WordPress core, plugins, and themes promptly.
- Audit administrator accounts every month.
- Review logs for repeated failed logins or unusual file changes.
- Test backup restoration on a schedule, not just backup creation.
Used correctly, Solid Security becomes part of a broader defense strategy that includes updates, strong authentication, least-privilege access, reliable backups, and server-level protection.
The plugin works best when it supports those controls rather than standing in for them.