Solid Security Pro automatically scans your site for security issues, including:
- Check if Google Safe Browsing has flagged your site as containing malware (Site Blacklist Status)
- Vulnerable Plugins
- Vulnerable Themes
- WordPress Core Vulnerabilities
- Two-Factor
- Password
- Inactive Users
- Rogue Installs
To enable automatic scanning, navigate to Security -> Settings -> Features -> Site Check, and click the toggle switch button to enable Site Scan Scheduling.
After enabling the Site Scan Scheduling feature, your site will receive daily scans.
You can manage emails generated by the Site Sanner in the Notification Center and view the results of previous Site Scans in the Security Logs.
To run a manual Site Scan, go to the Security Site Scans page and click the "Start Site Scan" button:
What to do when the Site Scan finds an issue
If the Site Scan finds a security issue, it isn't necessarily a cause for concern. However, you may need to investigate to determine what action you should take.
Clicking the "View Details" dropdown will help provide additional details and the recommended actions you can take. You'll also have the option to mute a security issue.
Inactive Users
Lists all site users that have been inactive for more than 30 days.
What to do: Check the identified Inactive Users and demote or remove the inactive users.
Rogue Installs
Identifies "Rogue Installs" or old WordPress sites that are no longer in use and are on the same server.
What to do: Check the identified old sites, and if the site is still being used, update the installed WordPress version, plugins, and themes.
Plugins/Themes
Lists all outdated and vulnerable plugins, themes, or WordPress core, along with their severity level.
What to do: The most important thing is to look for an update. If a vulnerability is identified, check whether the plugin/theme is actively supported (the last update should not have been years ago and compatible with the latest WordPress version). If it is, a patched version will most likely come, so you can temporarily disable the plugin/theme while waiting for the update or mute the vulnerability.
Note: You can mute a vulnerability either on the Site Scans or Vulnerabilities pages. More information on the Vulnerabilities page can be found here.
WordPress Core
Checks for known WordPress Core vulnerabilities.
What to do: Ensure that your installed WordPress Core is up-to-date.
Google Safe Browsing
Checks whether your site has landed on Google's Safe Browsing Blocklist.
What to do: Follow these five key steps if your site is flagged as "deceptive" by Google's Safe Browsing service:
- Scan your site for vulnerabilities and malware.
- Update or remove vulnerable themes and plugins.
- Find and remove any malware from your site.
- Submit a request to Google to have the warning flag removed. (To do this, navigate to the Google Search Console, go to Security & Manual Actions >> Security issues, and select the button that says “Request Review.”)
- Confirm you are no longer on Google's Blocklist.
Two-Factor
Lists all site users that have administrator-like capabilities but do not have Two-Factor enabled.
What to do: Send the user a Two-Factor Authentication Reminder email notification.
Password
Lists all site users that have administrator-like capabilities but are using insecure passwords.
What to do: Enable the Strong Password in the User Groups settings to require users to set up a strong password.
Muting a Site Scan issue
Whether you're still waiting for a plugin/theme/WordPress core update or have confirmed that the Site Scan result is not an issue, Solid Security allows you to mute it.
To mute a Site Scan result, click the "View Details" dropdown below the Action column and click the Mute Issue button.
All the muted issues will not show on the succeeding Site Scan "Scan Results" tab but instead under the "Muted Results" tab. From there, you'll have the option to unmute the issue.