WP Toolkit — Security Scan and Hardening

WP Toolkit includes a security checker that scans your WordPress installation for common vulnerabilities and misconfigurations. It also provides one-click fixes for the most critical issues.


  • * *


Run a security scan


  1. Open WP Toolkit in cPanel.
  2. Find the site you want to scan. Click the security status indicator on the site card (it shows a score or a colour: green, yellow, or red).
  3. Alternatively, click Manage on the site card → go to the Security tab.
  4. Click Scan to run a fresh check.
  5. WP Toolkit lists all checks with their status: passed, warning, or failed.




  • * *


What WP Toolkit checks


  • WordPress core, plugins, and themes are up to date
  • WordPress admin password is not the default
  • Debug mode is disabled (debug output can expose file paths and database information)
  • Directory browsing is disabled
  • Access to wp-config.php and .htaccess is blocked from the web
  • XML-RPC is disabled (reduces brute-force and DDoS attack surface)
  • The default admin username ("admin") is not in use
  • Unused themes and plugins are removed




  • * *


Fix security issues


  1. On the Security tab, click Fix All to apply all recommended fixes in one step.
  2. Or click the fix button next to individual items to apply them one at a time.




Each fix is explained before it is applied. Review the descriptions — some changes (e.g., disabling XML-RPC) can affect specific plugins like Jetpack. If you use such plugins, fix items selectively.


  • * *


Security hardening options


  • Disable XML-RPC — blocks a common attack vector used for brute-force logins and DDoS amplification
  • Block access to sensitive files — prevents direct web access to wp-config.php, readme.html, and similar files
  • Disable directory browsing — hides the contents of directories that do not have an index file
  • Disable script execution in uploads — prevents attackers from executing PHP files uploaded through the media library




  • * *


Schedule automatic security scans


WP Toolkit can run security scans on a schedule and send you a notification when new issues are detected. Configure this in the Security tab under Security Status Monitoring.

Updated on: 28/04/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!