Open your browser and go to:
Sign in with your hosting credentials.
In the left-hand menu, click WordPress
You’ll see a list of all WordPress installations on your account
Find the WordPress site you want to protect
Click the small arrow to expand options
Click “View” or just click the site’s name to open its details
Inside the site’s dashboard, look for:
Security Status
Click “Check Security”
Plesk will scan your website and show a list of recommended protections.
After the scan, you’ll see several security options you can enable:
| Security Option | What It Does |
|---|---|
| Disable file editing | Prevents hackers from editing files through WP admin |
| Block access to wp-config.php | Protects your configuration file from being read |
| Block access to .htaccess | Secures your server configuration file |
| Disable directory browsing | Prevents visitors from viewing folder contents |
| Restrict wp-content access | Stops direct file access (e.g. PHP) in media folders |
| Security keys reset (optional) | Generates new authentication keys |
Just check the boxes for what you want to apply, then click “Secure”
Once done:
The panel will show which actions were applied successfully
Any issues or skipped items will show with a warning or red icon
You can recheck security at any time
Plesk’s WordPress Toolkit settings stay active unless changed. No need to redo them every day — but you can come back anytime to:
Reapply if settings are lost after a plugin/theme update
Review if you reinstall WordPress
Check security after a migration
| Best Practice | Why It Matters |
|---|---|
| Use strong passwords | Prevents brute-force login attempts |
| Enable auto-updates for plugins/themes | Fixes vulnerabilities as soon as they’re patched |
| Back up regularly | So you can restore your site after an attack |
| Avoid outdated themes/plugins | These are common hacker entry points |
| Limit login attempts or use CAPTCHA | Stops bots from guessing your password |
