Introduction to Solid Security
Solid Security is your first- and last-stop security plugin for WordPress, shielding your WordPress websites against brute force attacks and other cyber threats.
It gives you the ability to manage security tasks like vulnerable software scanning, web firewall management, and user security in one place. Whether you manage a single website or several client sites, Solid Security provides you with comprehensive and automated security features.
This guide will help you get started with Solid Security at its simplest but secure setup and lets you become familiar with its core features.
This document is designed to be an opinionated but direct method to getting set up with Solid Security as quickly as possible, so it will gloss over some concepts and link away to more educational resources where appropriate.
Need further help? The SolidWP Support team is staffed with WordPress and web experts, and they are ready to answer your questions. Reach out via the support channels.
Onboarding with Solid Security
Solid Security has a built-in onboarding process that allows you to secure your website in under 10 minutes, regardless of your technical background. The onboarding includes all the default security settings in place to make things easier.
Before you can start securing your website, make sure you have installed and activated the Solid Security plugin.
After the plugin is installed, head over to the Security menu in your WordPress Admin to start the onboarding.
This article walks you through the 5 sections of onboarding, indicated by the numbers along the bottom of the onboarding wizard screens: Website, Global Settings, Features, User Groups, and Notifications.
Section 1 – Website
The onboarding wizard starts with a broad question about what type of site you have. There’s not a wrong answer here, and most users are fine picking “blog” or “brochure.” Unless you have special considerations like eCommerce, select one and move on!
On the next screen, a crucial setting. Make sure to enable Security Check Pro, as it’s an important piece of web security. For more information on that feature (including why it can’t be enabled by default for good reason), see the documentation on IP Address identification.
For now, just make sure it’s enabled.
The next decision you have to make in section 1 is whether this site is one you’re configuring for yourself or on behalf of clients. Again, there’s not a wrong answer here. If you choose “Client Website” then you’ll be given additional options for which WordPress users belong to those clients, and how much access to changing settings for Solid Security those users are given.
What this is doing “under the hood” is creating a new user group (more on that in section 4) named “clients” so the quickest path is to choose “My Own Website” and then later if you need to add an additional User Group named “Clients” you can do that.
Before moving on to the Global Settings, one final question regarding Password Policy. Selecting to enforce a secure password means that any time a user creates a new password, that password is verified to have never been a part of a data breach recorded in the popular have I been pwned database. It’s always a safe bet to enable this extra protection.
Section 2 – Global Settings
The Global Settings screen allows you to configure two important settings, the Authorized Hosts as well as the IP Detection method.
Authorized Host List
Sometimes called a “whitelist” or “allowlist” this is a group of IP addresses that should never be blocked by Solid Security. This is handy for services or applications that you want to make sure always have access to the site, like third party uptime monitors or automation tools. If you’re unsure, this list is totally fine (and normal) to leave blank.
IP Detection
IP detection is a critical part of the security process, and if you enabled “Security Check Pro” on the previous step, that will auto-select “Security Check Scan” in this dropwdown. If for some reason you opted out of “Security Check Pro” in the last step, you’ll need to configure a different IP Detection method in order for the firewall (a critical piece of Solid Security) to work.
Section 3 – Features
The third section of the onboarding process is a high-level look at various features that you may want to enable. Many are enabled by default or by the selections you’ve made to this point in the wizard.
For the purposes of getting up to speed as quickly as possible (and unless your site has atypical security needs) enable the Two-Factor toggle and click the “next” button at either the top or bottom of the page.
Section 4 – User Groups
A powerful feature already hinted at in previous onboarding screens (the one about Client sites) is the concept of “User Groups.” WordPress itself has user roles, which are helpful in understanding User Groups. Instead of having to individually manage every site user’s ability to do things on the site, putting them into groups allows you to give them capabilities specific to Solid Security all based on what group they are in.
Just like the “Editor” user role in WordPress can do things like edit and publish posts but can’t do things like install plugins, user groups in Solid Security can be given privileges (like the ability to change security settings) or requirements (like being forced to use a strong password) all as a group.
Your option during onboarding is to either create your own user groups, or to use the default user roles as a starting point. You can always create more custom user groups later, but if you chose the “default” option here, you can’t go back and delete those user groups.
A good rule of thumb for this option is to choose the “Custom User Groups” option for sites where you (and any other site administrators) are the only ones you want accessing any security settings, or where there’s little nuance in terms of different user access to the site in general. If you make use of the default WordPress user roles regularly, then it makes sense to use those as the starting point for user groups in Solid Security.
Note: if you selected “eCommerce” on the site type in the very first step of Section 1, or if you answered “client site” in the screen about whether this was your own site or a client’s, you were guided through creating a custom user group (by the wizard asking about what permissions and requirements you wanted for those groups) and you’ll see them on the next screen, no matter what.
Section 5 – Notifications
The last step of onboarding is to determine who needs to be alerted in the event of a security issue or need to be looped in.
By default, all site Administrators receive email notifications generated by Solid Security Pro.
If you’d rather, you can select that only you (the one going through the onboarding) be notified. Again, no wrong answers here!
Once you get to the following screen, your site is being actively protected. You can always learn more about the options and settings in Solid Security by checking out the exhaustive documentation. Solid Security Basic is a full-featured plugin providing much protection and security to your WordPress site.
If you have any questions or concerns, reach out to the SolidWP Support team. The Security of your WordPress website is their top priority.