I. Solid Security Tutorial: A Lightweight and Multifunctional Security Plugin
Solid Security (formerly iThemes Security) is a highly practical WordPress security plugin designed to protect against brute force attacks, malware, and unauthorized intrusions. It boasts over 1 million active installations! The free version offers a robust set of security features, while the Pro version unlocks advanced capabilities, such as enhanced two-factor authentication (2FA) settings, scheduled malware scans, and Google reCAPTCHA integration. Best of all, it’s user-friendly, making it easy for both WordPress beginners and seasoned users to secure websites effectively!
II. Which Hosts and Websites Are Suitable for Solid Security?
Lightweight! Lightweight! Lightweight! Because it’s important, it’s said three times. This point deserves emphasis because Solid Security consumes remarkably low resources! Unlike some security plugins that heavily tax server performance, Solid Security is compatible with nearly all types of hosting and websites, particularly:
- Shared Hosting: For resource-constrained shared hosting, it’s a lifesaver, running smoothly without slowdowns.
- Entry-Level VPS: For those upgrading to a VPS, Solid Security’s low resource demands provide peace of mind.
- All Website Types: Whether it’s a personal blog, corporate site, e-commerce platform, or small forum, Solid Security adapts seamlessly.
In short, unless a website requires highly complex computations, Solid Security is the ideal security companion!
III. Solid Security Installation and Setup
- Log in to the WordPress dashboard and navigate to Plugins > Add New.
- In the search bar, type “Solid.” Solid Security typically appears as the top-left option.
- Click “Install Now,” then activate the plugin.
Data Collection: After installation, Solid Security prompts to allow the collection of non-sensitive data to improve the plugin. This choice doesn’t affect functionality.
Website Type: Select the website type (e.g., blog, e-commerce, personal site) to tailor recommended settings.
Quick Scan: Follow the official recommendation to run a website security scan to identify current vulnerabilities.
Core Security Options
Solid Security guides the setup of five core security features, as explained officially:
- Local Brute Force (Local Brute Force Protection) Prevents hackers from repeatedly guessing passwords, locking accounts temporarily after multiple failed attempts to reduce breach risks.
- Network Brute Force (Network Brute Force Protection) Monitors abnormal login attempts from various IPs, blocking IPs or delaying responses when necessary to counter network attacks.
- Require Strong Passwords (Enforce Strong Passwords) Mandates passwords with uppercase, lowercase, numbers, and special characters, with a minimum length of 12 characters for robust protection.
- Refuse Compromised Passwords (Reject Leaked Passwords) Checks passwords against breach databases, forcing a change if a password has been compromised.
- Allow Two-Factor Authentication (Enable Two-Factor Authentication) Adds a second verification layer (e.g., email or app code) for ironclad account security.
Selecting “My Own Website” is recommended here. For restricting client permissions, consider using plugins like Controlled Admin Access or User Role Editor for greater flexibility.
User Groups: Choosing Default User Groups is sufficient; fine-tune in the dashboard for specific needs.
Email: Enter an email address to complete the initial setup!
IV. Recommended Important Settings for Solid Security
Solid Security’s strength lies in its flexible settings. Below are key recommendations addressing common WordPress security concerns:
1. Disable XML-RPC: Steer Clear of Hacker Traps
XML-RPC is a significant WordPress security risk, often exploited for brute force or DDoS attacks. Disabling it is strongly recommended!
How to disable it?
Navigate to Security > Settings > WordPress Tweaks, locate the XML-RPC option, and select Disable XML-RPC.
Will it affect the website?
No worries! 99% of WordPress sites don’t need XML-RPC, as modern features rely on the REST API. Unless using obscure functions (e.g., remote email editing), disabling it is seamless! Note: For Jetpack users, verify if any features depend on XML-RPC (newer Jetpack versions mostly use REST API, so impact is minimal).
2. Hide Backend: Keep Hackers in the Dark
The default WordPress backend path (https://mydomain.com/wp-admin/) is another security concern, as it’s a common target for hackers. Changing it to a unique path is advised!
How to change it?
Go to Security > Settings > Hide Backend, enable the feature, and enter a custom path (e.g., https://mydomain.com/secret-login).
Why not rely on a long password?
While a strong password over 19 characters is secure, altering the backend path prevents hackers from even attempting an attack! This enhances security and saves server resources from brute force attempts.
3. 2FA: The Ultimate Security Layer
Two-factor authentication (2FA) is the ultimate safeguard for accounts, especially admin accounts. Solid Security supports Email 2FA (requires proper SMTP setup).
How to set it up?
- Navigate to Security > Settings > Features > Login Security.
- Enable 2FA and select the Email method.
- After receiving the email confirmation code, 2FA is ready!
E-commerce site note:
Consider enabling Disable on First Login to avoid deterring new customers with the 2FA process during registration.
SMTP setup:
Ensure an SMTP plugin (e.g., FluentSMTP) is correctly configured, or Email 2FA codes may not be received.
If setup doesn’t start automatically, go to Users > Profile to manually enable 2FA.
Once the email confirmation code is received, 2FA setup is complete!
V. Tools: Powerful but Requires Careful Use
The Tools section (Security > Tools) in Solid Security offers a range of useful features, such as website security checks and database prefix changes. The official documentation is detailed, so further elaboration isn’t necessary, but one caution is warranted:
Change Database Table Prefix:
This feature changes the default wp_ prefix to a random value, enhancing database security. However, testing this on a Cloudways host caused a server crash! Fortunately, Cloudways auto-recovers. Recommendation: Always back up the website before using these features!
VI. FAQ
Which Host Types Are Suitable for Using Solid Security as a Security Plugin?
The lightweight design of Solid Security makes it compatible with nearly any hosting environment! It’s particularly recommended for:
- Shared Hosting: Performs smoothly on resource-limited hosts, a lifesaver for low-spec servers.
- Entry-Level VPS: Ideal for websites transitioning to VPS, thanks to its low resource usage.
- Other Environments: Stable performance on cloud hosts (e.g., Cloudways) or high-end dedicated servers.
Is the Free Version of Solid Security Sufficient for Protection? Is Upgrading to the Pro Version Necessary?
The free version of Solid Security offers comprehensive protection, including brute force defense, strong password enforcement, and rejection of compromised passwords. Paired with Cloudflare’s firewall and CDN, it meets the security needs of most websites, such as personal blogs, small e-commerce sites, or mid-sized business websites.
However, for larger sites or those with higher security demands, the Pro version is worth considering, especially for:
- Large E-commerce Platforms: Where customer data and transaction security are critical, the Pro version’s advanced firewall and malware scans strengthen defenses.
- High-Risk Environments: Sites requiring passwordless login or dedicated support benefit from the Pro version’s robust features.
What Is the Price of Solid Security Pro?
As of April 30, 2025, Solid Security Pro pricing is as follows:
- 1 Site: $99 per year.
- 5 Sites: $199 per year.
- More Sites: For example, 10 sites at $299/year, 25 sites at $549/year.
Pricing may vary, so checking the official website pricing table for the latest information is recommended.
What Additional Features Does Solid Security Pro Offer?
Main Additional Features
- Advanced Firewall Protection: Integrated with Patchstack for real-time vulnerability patching, with automated firewall options for enhanced security.
- Two-Factor Authentication (2FA): Adds a secure login layer to protect user accounts.
- Passwordless Login Options: Includes magic links and passkeys, supporting biometric logins (e.g., Face ID, Touch ID) for convenience and security.
- Real-Time Security Dashboard: Provides charts and logs to monitor security status, enabling quick threat response.
- User Activity Logging: Tracks user actions for security audits.
- Scheduled Malware Scans: Regularly checks the website for potential threats.
- Database Backups: Ensures data integrity with restorable backups.
- Version Management: Controls updates for WordPress core, plugins, and themes to patch vulnerabilities promptly.
- Dedicated Support: Offers private ticketing support from the SolidWP team for efficient issue resolution.
- Money-Back Guarantee: 30-day satisfaction guarantee with full refunds if not satisfied. For more details, refer to Why Upgrade to Pro?.
Note: Some links in this article (e.g., pricing table and Pro version introduction) are affiliate links, which may earn a small commission for this site, but this does not affect pricing or the objectivity of recommendations.
References for this article: https://solidwp.com/security/
