WP Toolkit includes a security checker that scans your WordPress installation for common vulnerabilities and misconfigurations. It also provides one-click fixes for the most critical issues.
Run a security scan
- Open WP Toolkit in cPanel.
- Find the site you want to scan. Click the security status indicator on the site card (it shows a score or a colour: green, yellow, or red).
- Alternatively, click Manage on the site card → go to the Security tab.
- Click Scan to run a fresh check.
- WP Toolkit lists all checks with their status: passed, warning, or failed.
What WP Toolkit checks
- WordPress core, plugins, and themes are up to date
- WordPress admin password is not the default
- Debug mode is disabled (debug output can expose file paths and database information)
- Directory browsing is disabled
- Access to wp-config.php and .htaccess is blocked from the web
- XML-RPC is disabled (reduces brute-force and DDoS attack surface)
- The default admin username ("admin") is not in use
- Unused themes and plugins are removed
Fix security issues
- On the Security tab, click Fix All to apply all recommended fixes in one step.
- Or click the fix button next to individual items to apply them one at a time.
Each fix is explained before it is applied. Review the descriptions — some changes (e.g., disabling XML-RPC) can affect specific plugins like Jetpack. If you use such plugins, fix items selectively.
Security hardening options
- Disable XML-RPC — blocks a common attack vector used for brute-force logins and DDoS amplification
- Block access to sensitive files — prevents direct web access to wp-config.php, readme.html, and similar files
- Disable directory browsing — hides the contents of directories that do not have an index file
- Disable script execution in uploads — prevents attackers from executing PHP files uploaded through the media library
Schedule automatic security scans
WP Toolkit can run security scans on a schedule and send you a notification when new issues are detected. Configure this in the Security tab under Security Status Monitoring.