MagicWP Docs

Security

Harden your site against common WordPress attacks

The Security Center (open your site → Security) lets you harden the site against common WordPress attacks. A baseline firewall and HTTPS are on by default and managed for you — the toggles here add extra protection on top.

Always on

  • HTTPS — free, automatic TLS on your default domain and any custom domain you connect.
  • Baseline firewall — enabled by default and managed automatically.

Firewall & protection

Each of these is a switch that applies immediately — no restart, no confirm:

  • Disable XML-RPC (recommended) — turns off the XML-RPC protocol, a common brute-force and abuse target. Leave it off unless a tool you use needs it.
  • Protect wp-includes Directory — blocks direct web access to the wp-includes folder.
  • Login Page Protection — restricts direct access to wp-admin and wp-login.php from unauthorized requests, cutting down brute-force attempts.
  • Security Headers (recommended) — adds X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, and Referrer-Policy to defend against clickjacking, XSS, and MIME-sniffing.
  • Real IP (recommended) — passes the visitor's real IP through proxy headers so your logs and security tools see the actual client, not the proxy.

A good default setup

Turn on Disable XML-RPC, Security Headers, and Real IP — they're safe for almost every site. Add Login Page Protection and Protect wp-includes for extra hardening.

Coming soon

More controls are on the way and appear greyed-out until they ship: Bot Protection, 8G Firewall, disable RSS/Atom feeds, disable wp-links-opml.php, Protect wp-content, Password Strength Requirement, and Session Timeout.

On this page