Security
Harden your site against common WordPress attacks
The Security Center (open your site → Security) lets you harden the site against common WordPress attacks. A baseline firewall and HTTPS are on by default and managed for you — the toggles here add extra protection on top.
Always on
- HTTPS — free, automatic TLS on your default domain and any custom domain you connect.
- Baseline firewall — enabled by default and managed automatically.
Firewall & protection
Each of these is a switch that applies immediately — no restart, no confirm:
- Disable XML-RPC (recommended) — turns off the XML-RPC protocol, a common brute-force and abuse target. Leave it off unless a tool you use needs it.
- Protect wp-includes Directory — blocks direct web access to the
wp-includesfolder. - Login Page Protection — restricts direct access to
wp-adminandwp-login.phpfrom unauthorized requests, cutting down brute-force attempts. - Security Headers (recommended) — adds
X-Frame-Options,X-Content-Type-Options,X-XSS-Protection, andReferrer-Policyto defend against clickjacking, XSS, and MIME-sniffing. - Real IP (recommended) — passes the visitor's real IP through proxy headers so your logs and security tools see the actual client, not the proxy.
A good default setup
Turn on Disable XML-RPC, Security Headers, and Real IP — they're safe for almost every site. Add Login Page Protection and Protect wp-includes for extra hardening.
Coming soon
More controls are on the way and appear greyed-out until they ship: Bot Protection, 8G Firewall, disable RSS/Atom feeds, disable wp-links-opml.php, Protect wp-content, Password Strength Requirement, and Session Timeout.