WP Toolkit — Security Scan and Hardening

  1. Portal Home
  2. Knowledgebase
  3. WordPress
  4. WP Toolkit
  5. WP Toolkit — Security Scan and Hardening
  Support
My Support Tickets Announcements Knowledgebase Downloads Network Status Open Ticket
Knowledgebase / WP Toolkit — Security Scan and Hardening

WP Toolkit — Security Scan and Hardening

0 found helpful (0 votes) ...
Back to Knowledgebase

WP Toolkit includes a security checker that scans your WordPress installation for common vulnerabilities and misconfigurations. It also provides one-click fixes for the most critical issues.

Run a security scan

  1. Open WP Toolkit in cPanel.
  2. Find the site you want to scan. Click the security status indicator on the site card (it shows a score or a colour: green, yellow, or red).
  3. Alternatively, click Manage on the site card → go to the Security tab.
  4. Click Scan to run a fresh check.
  5. WP Toolkit lists all checks with their status: passed, warning, or failed.

What WP Toolkit checks

  • WordPress core, plugins, and themes are up to date
  • WordPress admin password is not the default
  • Debug mode is disabled (debug output can expose file paths and database information)
  • Directory browsing is disabled
  • Access to wp-config.php and .htaccess is blocked from the web
  • XML-RPC is disabled (reduces brute-force and DDoS attack surface)
  • The default admin username ("admin") is not in use
  • Unused themes and plugins are removed

Fix security issues

  1. On the Security tab, click Fix All to apply all recommended fixes in one step.
  2. Or click the fix button next to individual items to apply them one at a time.

Each fix is explained before it is applied. Review the descriptions — some changes (e.g., disabling XML-RPC) can affect specific plugins like Jetpack. If you use such plugins, fix items selectively.

Security hardening options

  • Disable XML-RPC — blocks a common attack vector used for brute-force logins and DDoS amplification
  • Block access to sensitive files — prevents direct web access to wp-config.php, readme.html, and similar files
  • Disable directory browsing — hides the contents of directories that do not have an index file
  • Disable script execution in uploads — prevents attackers from executing PHP files uploaded through the media library

Schedule automatic security scans

WP Toolkit can run security scans on a schedule and send you a notification when new issues are detected. Configure this in the Security tab under Security Status Monitoring.

Was this article helpful?

Still need help?

Open a support ticket →

On This Page