preloader

Solid Security plugin review and common issues

Solid Security is used for site hardening, login protection, and security monitoring. In most cases, it fits business sites better than a custom build done too early. A common issue is login protection, security rules, and blocked user issues. This usually happens when plugin settings, cache, or integrations are misconfigured. It can save time, but it still needs testing on a staging site before major changes go live. From experience, Solid Security works best when you keep the setup focused and avoid overlapping plugins.

Solid Security plugin review and common issues
Official Plugin Page ↗ Get Help With This Plugin

What is Solid Security plugin?

Solid Security (formerly iThemes Security Pro) is the security plugin component of the SolidWP suite by StellarWP. It protects WordPress sites from the most common attack vectors: brute force login attempts, vulnerable plugin and theme exploitation, unauthorized file changes, and weak user credentials. The plugin provides security hardening without requiring deep technical knowledge — a setup wizard configures the most important protections based on the site type (e-commerce, membership, brochure site, etc.).

Solid Security includes two-factor authentication (TOTP apps, email codes), passwordless login via passkeys, login lockout after failed attempts, banned IP management, file change detection, database backup scheduling, and real-time vulnerability scanning against the WPScan vulnerability database (via Patchstack integration). The Pro version ($99/year per site, or $199/year in the Solid Suite) adds advanced features including trusted devices management, magic login links, and reCAPTCHA integration.

Solid Security competes with Wordfence and Sucuri as the three dominant WordPress security plugins. Solid Security’s differentiation is its connection to the WPScan vulnerability database for proactive vulnerability notifications, its integration with the broader SolidWP ecosystem (Solid Backups for backup-before-repair), and its approachable setup wizard. For sites already using the Solid Suite, Solid Security is the natural choice for security without adding a fourth vendor to the stack.

Need Help With Solid Security Setup, Troubleshooting, or Customization?

Need help with Solid Security? Whether you are dealing with errors, broken functionality, styling problems, plugin conflicts, or advanced customization, we can help you fix the issue and get the plugin working properly on your WordPress site.

Get Solid Security Expert Help

Key Features

  • Two-factor authentication: TOTP apps, email codes, backup codes
  • Passwordless login via passkeys
  • Brute force protection with configurable lockout thresholds
  • Network brute force protection (block IPs attacking other WP sites)
  • Login page URL change (hide /wp-admin)

Pros & Cons

Pros

  • Setup wizard configures security appropriate for site type — approachable for non-security-experts
  • Patchstack/WPScan vulnerability database provides proactive vulnerability notifications
  • Two-factor authentication and passkeys are well-implemented

Cons

  • Pro required for some advanced features
  • No server-level firewall (operates at PHP level like most WordPress security plugins) — Cloudflare WAF provides better firewall protection

Free vs Premium

Free (Solid Security Basic on WordPress.org): core security hardening. Pro ($99/year, 1 site): advanced 2FA, vulnerability scanning, magic links, trusted devices. Solid Suite ($199/year): Security + Backups + Central.

Common Problems & Fixes

Solid Security locked out an administrator — after too many login attempts, the admin cannot access the site. How do I recover access?

Access recovery options: (1) wait for the lockout period to expire (default: 15-60 minutes depending on configuration); (2) add your IP to the whitelist via FTP — edit wp-config.php and add: define(‘ITSEC_DISABLE_MODULES’, true); — this temporarily disables Solid Security; (3) connect via FTP and rename the Solid Security plugin folder (wp-content/plugins/better-wp-security → better-wp-security-disabled) to deactivate it; (4) if database access is available, clear the lockout from the itsec_lockouts table.

Solid Security file change detection is sending too many email alerts — every WordPress update triggers hundreds of notifications. How do I reduce alert volume?

File change detection alerts fire when any monitored file changes. To reduce volume: (1) in Solid Security → File Change → Settings, reduce the scan frequency (daily rather than hourly); (2) exclude known-safe directories from scanning (wp-content/uploads, wp-content/cache) — these change frequently with normal site operations; (3) after a WordPress or plugin update, manually clear the file change detection baseline so the new file state becomes the reference point; (4) configure Solid Security to only alert on changes to core WordPress files rather than all files.

After changing the WordPress login URL with Solid Security, the site shows a 404 at /wp-login.php but the new URL is not working. How do I recover?

Login URL changes require permalink flushing to take effect. If the new URL is not working: (1) access wp-admin via the old URL — it may still work if caching serves the old version; (2) if completely locked out, use FTP to create a file named “emergency.php” in the site root with the code: <?php require('wp-load.php'); itsec_hide_backend_disable(); — this disables the hide-backend feature; (3) alternatively, deactivate Solid Security via FTP (rename the plugin folder) and flush permalinks by visiting Settings → Permalinks.

Customization & Developer Notes

How do I enable two-factor authentication for all administrator accounts using Solid Security?

In Solid Security → Two-Factor → Settings, configure 2FA requirements by user role. Set Administrator role to require 2FA. Users in the required role see a 2FA setup prompt on their next login. They can choose their 2FA method (authenticator app TOTP, email code, or passkeys if Pro). The grace period setting gives users a configurable number of logins before 2FA becomes mandatory — set to 0 to require immediate 2FA setup. Backup codes are generated for each user to prevent account lockout if they lose their 2FA device.

How do I configure Solid Security to automatically patch vulnerable plugins?

Solid Security’s vulnerability scanning uses the Patchstack database to identify vulnerable plugins and themes. Go to Solid Security → Site Scan → Auto-Patching Settings. Enable automatic updates for vulnerable plugins: Solid Security can automatically update a plugin when a security update is available that patches the detected vulnerability. Configure notification settings to alert administrators when a vulnerability is detected and when a patch is applied. This automatic patching significantly reduces the window between vulnerability disclosure and site protection.

Frequently Asked Questions

Is Solid Security better than Wordfence?

Both provide excellent WordPress security, with different strengths. Wordfence has a larger community, more extensive documentation, and a very powerful real-time malware scanner. Solid Security’s strengths are its approachable setup wizard, Patchstack vulnerability integration, and the SolidWP ecosystem cohesion (Security + Backups + Central). For teams already using SolidWP products, Solid Security is the natural fit. For those who want maximum security depth, Wordfence’s scanner and firewall are hard to match. Neither is definitively better — the right choice depends on your team’s technical comfort and existing stack.

Does Solid Security protect against malware?

Solid Security provides vulnerability scanning (checking for known vulnerable plugin/theme versions) and file change detection (alerting when files change unexpectedly). It does not provide a server-level malware scanner that scans file contents for malicious code — that capability is Wordfence’s or Sucuri’s speciality. For malware detection, combine Solid Security’s prevention features with a dedicated malware scanner (MalCare provides excellent cloud-based scanning as a complement).

Can Solid Security break after updates?

Yes, that can happen, especially on older sites with many plugins. This usually happens when the plugin, theme, and add-ons are updated out of sequence. In most cases, testing on staging catches the issue before it reaches the live site. From experience, backups and changelog reviews save a lot of cleanup time.

What should I check before installing Solid Security?

Start by checking whether another plugin already does the same job. In most cases, overlap is what creates avoidable conflicts and performance issues. A common issue is installing a plugin because it looks convenient without checking the stack first. From experience, a short compatibility review avoids most of the pain later.

Need a Solid Security Developer?

Find a vetted WordPress developer specializing in Solid Security. From setup and configuration to custom Solid Security development — get expert help on WPWizzy.
Get a Free Estimate

Ready to hire your WordPress developer?

WPWizzy connects you with vetted freelance WordPress developers from the Codeable network — the top 2% of WordPress experts worldwide, , you can get a free no-obligation project estimate before hiring. Every developer is carefully screened, backed by Codeable’s satisfaction guarantee, and rated by real clients based on completed WordPress projects.

Pick one option and we’ll take you to the right next step.

After submitting your request, up to three WordPress developers may review your project and ask a few questions to better understand the issue.
This step helps us define the scope of work and provide an accurate estimate. Most projects receive a response within 24 hours.
Providing a few key details about your website or the problem will help us respond faster. There is no obligation to proceed with the project.