WordPress Toolkit in cPanel includes a built-in Security Hardening scanner that checks your WordPress installation against a list of known security best practices and fixes vulnerabilities with a single click. This article walks you through running a security scan and applying the recommended fixes.
Prerequisites
- WordPress installed and managed through WordPress Toolkit in cPanel
- Access to cPanel at yourdomain.com/cpanel
Opening WordPress Toolkit Security
- Log in to cPanel at yourdomain.com/cpanel
- In the Software section, click WordPress Toolkit
- Find your WordPress installation in the list
- Click the Security button (shield icon) on your site's card, or click on the site name then navigate to the Security tab
Running a Security Scan
- On the Security tab, click Check Security to run the scan
- WordPress Toolkit analyses your installation and displays a list of security checks with their status:
- Green (Secure) - the check passed, no action needed
- Red (Vulnerable) - a security issue was found, action recommended
- Grey (Ignored) - you have chosen to skip this check
- Review the list of issues - each one has a description explaining the risk
Security Checks Explained
WordPress Toolkit checks for the following common security issues and can fix most of them automatically:
WordPress configuration
- WordPress version is up to date - outdated WordPress core is the #1 cause of hacked sites
- Debug mode is disabled - leaving WP_DEBUG enabled in production can expose sensitive error information to attackers
- Automatic updates for minor WordPress versions are enabled - security patches are applied automatically
File and folder permissions
- Correct permissions on wp-config.php - should be 600 or 640, not 644 or 777
- Correct permissions on .htaccess - should be 644
- Write permissions are not overly permissive on key directories
Login and admin security
- Admin username is not "admin" - using "admin" makes brute-force attacks easier because the attacker already knows the username
- User enumeration is disabled - prevents bots from discovering WordPress usernames via the author archive
- PHP execution in the uploads folder is blocked - prevents malicious PHP files uploaded via plugins from executing
Configuration and exposure
- wp-config.php is not accessible from the web - this file contains your database credentials and must be protected
- html and license.txt are not accessible - these files reveal your WordPress version to attackers
- XML-RPC is disabled - unless you specifically need it, XML-RPC is a common attack target
- Directory browsing is disabled - prevents visitors from seeing a list of your files if no index.html exists
Fixing Security Issues
- On the Security tab, tick the checkboxes next to the issues you want to fix
- To fix all issues at once, click the Select All Vulnerable checkbox
- Click Fix Selected or Secure - WordPress Toolkit applies the fixes automatically
- Re-run the security scan to confirm all selected issues now show as Secure
|
???? Note Some security checks cannot be fixed automatically and require manual action. WordPress Toolkit provides specific instructions for each manual fix. If you are unsure about a fix, open a support ticket at my.unisolva.com for guidance. |
Additional Security Best Practices
Beyond WordPress Toolkit's automated checks, follow these practices to keep your site secure:
- Keep all plugins and themes up to date - outdated plugins are the most common entry point for attackers (see: How to Update WordPress, Plugins, and Themes Safely)
- Delete unused plugins and themes - even inactive plugins can be exploited if they contain vulnerabilities
- Use strong, unique passwords for all WordPress user accounts - especially administrators
- Enable Loginizer Pro brute-force protection and 2FA on admin accounts (see: How to Secure Your WordPress Login with Loginizer Pro)
- Use SiteSeo Pro's security features for additional protection (bundled with your plan)
- Take regular backups - if your site is compromised, a clean backup is your fastest recovery path
Verify It Worked
- The Security tab in WordPress Toolkit shows all critical checks as green (Secure)
- Your site loads normally after hardening - test the frontend and wp-admin to confirm nothing broke
- Schedule a monthly security scan to catch any new issues introduced by plugin updates
Related Articles
- How to Secure Your WordPress Login with Loginizer Pro
- How to Update WordPress, Plugins, and Themes Safely (WordPress category)
- How to Use WordPress Toolkit - Staging, Cloning & Auto-Updates (WordPress category)
