WordPress Toolkit can enhance the security of WordPress installations (for example, by turning off XML-RPC pingbacks, checking the security of the wp-content folder, and so on).
We call individual improvements you can make to the installation’s security “measures”. We consider certain measures to be critical. For that reason, WordPress Toolkit applies them automatically to all newly created installations.
On the installation’s card next to “Security”, you can see the following security messages:
-
- “Fix security” means that not all critical security measures were applied.
- We strongly recommend that you apply them all.
-
- “Check security” means that all critical security measures were applied,
- while some recommended measures were not.
- “View settings” means that all security measures (critical and recommended) were applied.
Note: Some security measures, once applied, can be reverted. Some cannot. We recommend that you back up a WordPress installation before securing it.
You can secure WordPress installations individually or multiple installations at a time.
To secure an individual WordPress installation:
- Go to WordPress, choose the installation you want to secure, and then, on the installation card, click the message next to “Security” (for example, “Fix security”).
- Wait for WordPress Toolkit to display the security measures you can apply.
- Select the security measures you want to apply, and then click Secure.
All selected measures will be applied.
To secure multiple WordPress installations:
- Go to WordPress and then click Security.
- You will see the list of your WordPress installations. For every installation, you can see how many critical (indicated by the
icon) and recommended (the 
icon) security measures can be applied to it. To see the list of measures that can be applied, click the corresponding icon. If all security measures are applied, you will see the 
icon instead. - (Optional) To see more information about all security measures and to manage them for an individual WordPress installation,
next to the desired installation. To return to managing security of multiple installations, click 
next to “Security Status Of Selected Websites”. - Select installations to which you want to apply security measures and then click Secure.
- By default, only critical security measures are selected to be applied. You can also select:
- Security measures of your choice. To do so, click the “Custom selection” radio button.
- All security measures at once. To do so, click the “All (critical and recommended)” radio button.
- Click Secure.
icon) and recommended (the 
icon) security measures can be applied to it. To see the list of measures that can be applied, click the corresponding icon. If all security measures are applied, you will see the 
icon instead.
next to the desired installation. To return to managing security of multiple installations, click 
next to “Security Status Of Selected Websites”.The selected measures will be applied.
Reverting Security Measures
In rare cases, applying security measures can break your website. In this case, you can revert security measures you have applied. Not all security measures can be reverted. Those that can be are marked as “(can be reverted)”. You can revert security measures for an individual WordPress installation or for multiple WordPress installations at a time.
To revert applied security measures for an individual installation:
-
Go to WordPress, choose the installation for which you want to revert an applied measure, and then, on the installation card, click the message next to “Security” (for example, “Check security”).
-
Wait for WordPress Toolkit to display the list of security measures.
-
Select the security measures you want to revert and then click Revert.
The applied security measures will be reverted.
To revert applied security measures for multiple installations:
- Go to WordPress and then click Security.
- You will see the list of WordPress installations hosted on the server and whether critical and recommended security measures were applied to them or not.
- (Optional) To see more information about all security measures and to manage them for an individual WordPress installation, click next to the desired installation. To return to managing security of multiple installations, click next to “Security Status Of Selected Websites”.
- Select installations for which you want to revert security measures and then click Revert.
- Select security measures you want to revert and then click Revert.
The applied security measures will be reverted.
Backup and Restore
To help prevent data loss, you can back up and restore websites. To do so, you can use either the WordPress Toolkit feature or the general Sandbox.page backup mechanism, called Backup Manager.
Creating backups in WordPress Toolkit may be more convenient than in Backup Manager because of the following reasons:
- WordPress Toolkit backs up an individual website, while Backup Manager backs up the whole subscription with all the subscription’s websites and their data.
- If you need to back up an individual website, a WordPress Toolkit backup requires less time and disk space.
- Creating backups in WordPress Toolkit does not require any setup.
To back up a WordPress website:
-
Go to WordPress and then click Back up / Restore on the card of the WordPress installation you want to back up.
-
Click Back up.
Once the backup is finished, it will be displayed in the list of WordPress Toolkit backups.
To restore a WordPress website:
-
Go to WordPress and then click Back up / Restore on the card of the WordPress installation whose backup you want to restore.
-
Click the
icon corresponding to the backup you want to restore.Note: Restoring a backup removes all changes you made to the website after the backup date. For this reason, WordPress Toolkit suggests that you back up the current state of your website and use this backup to restore.
-
Click Restore.
icon corresponding to the backup you want to restore.You have restored your backup.
To be on the safe side, you may want to download WordPress Toolkit backup files to store them elsewhere.
To download WordPress Toolkit backup files:
-
Go to WordPress and then click Back up / Restore on the card of the WordPress installation whose backup files you want to download.
-
Click the
icon corresponding to the backup whose file you want to download.You will be redirected to the directory in File Manager (/wordpress-backups in the website’s home directory) where WordPress Toolkit backups are stored.
-
Click the
icon corresponding to the backup file you want to download and then click Download.
icon corresponding to the backup whose file you want to download.
icon corresponding to the backup file you want to download and then click Download.You have downloaded a backup file.
You can delete WordPress Toolkit backups you no longer need.
To delete a WordPress Toolkit backup:
- Go to WordPress and then click Back up/Restore on the card of the WordPress installation whose backup file you want to delete.
- Click the
icon corresponding to the backup you want to delete and then click Delete.
icon corresponding to the backup you want to delete and then click Delete.You have deleted a backup.
Restoring a WordPress Installation from a Restore Point
When you update the WordPress core or copy data from one WordPress installation to another, WordPress Toolkit suggests creating a restore point before beginning the operation. If you are not happy with the results, you can use the restore point to roll back the changes and restore your installation to the state it was in before the operation.
Note: WordPress Toolkit suggests creating a restore point only when you update a single WordPress installation.
Making Full Restore Points
By default, a restore point contains only the data that will be affected when copying data or updating. You can have WordPress include all the target installation data, both files and the database, in the restore point. To do so, go to WordPress, click “Settings”, select the “Always make full website snapshots” checkbox, and then click OK. Full restore points provide the maximum chances of successful recovery, but take longer to create and take up more disk space than regular restore points.
To restore a WordPress installation from a restore point:
-
Go to WordPress and find the card of an installation you want to restore.
-
Click the
icon next to “Restore Point” and then click Continue.
icon next to “Restore Point” and then click Continue.
The restoration will begin. Your installation will be restored to the state it was in before the operation.
The restore point takes up disk space which is included in your allowed disk space quota. After you have restored your WordPress installation, or once you have determined that all is good and there is no need to restore, you can delete the restore point.
To delete a restore point:
- Go to WordPress and find the restore point you want to delete.
- Click the icon next to “Restore Point”, and then click Remove.
icon next to “Restore Point”, and then click Remove.Note: Every WordPress installation can only have a single restore point. Creating a restore point overwrites the existing restore point, if any.
It is important to note that a restore point is not the same as a backup. Making any changes to the target installation after you copy data or update it may make restoring from the restore point impossible. If you are copying data or updating a live production WordPress installation, we recommend that you back it up beforehand in addition to creating a restore point.