The Protect Your WordPress Website with WebARX guide will show you how to configure this plugin for added website security.
As part of a multi-level security approach, the very first thing you should focus on is your website hosting. We recommend Kinsta hosting for many reasons, including their approach to security and their Security Guarantee.
For those that want to take their security to another level, while potentially eliminating some plugins, WebARX may be for you.
WebARX has a massive feature set that does much more than security, without slowing down your website.
For this guide, we went through and tested every setting of WebARX, to get an in-depth understanding of the product, rather than just turning it on and expecting it to do everything we need.
We also pulled up our WebARX portal side-by-side with our WordPress dashboard (i.e. WebARX plugin), to ensure consistency across both sides of the product.
Our Professional Website Maintenance plan includes a WebARX license, as well as management of your WebARX environment.
WebARX for WordPress Features
Prevent Attacks and Malware
Manage security on all your WordPress sites via one platform. Prevent attacks and malware infections.
- Managed Web Application Firewall
- Custom Firewall Rules
- Plugin Vulnerability Monitoring
- Up-time and SSL Monitoring
- Blacklist Monitoring
- Email and Slack Alerts
- PDF Security Reports
- Automatic Off-Site Backups
- WordPress Hardening
- 24/7 Security Monitoring
- 2 Factor Authentication
- Plugin Remote Management
- Website Software Overview
- User Activity Logging
- User Management
Prevent Attacks With Firewall
WebARX is mainly known for its advanced Web Application Firewall which is automatically updated to prevent plugin and theme vulnerabilities and can be installed in less than a minute.
- Block malicious bots and hacking attempts
- Prevent malware infections
- Secure your website from plugin vulnerabilities
- Protect your website from brute-force attacks
- Make your own rules with WebARX firewall engine
Gain complete security overview and set up alerts on Slack and Email when immediate attention is required. Daily security scans and monitoring will give you an in-depth understanding of the state of your websites.
- Plugin vulnerability monitoring
- SSL/TLS certificate monitoring
- Up-time monitoring
- Blacklist monitoring
- Domain expiration monitoring
Complete WordPress Hardening
Easily adapt modern security practices such as security headers, 2FA, ReCaptcha and more. All security configurations can be done within minutes directly from the WebARX WordPress plugin.
- Login Rate Limiting
- reCAPTCHA & 2 Factor Authentication
- User Activity Logging
- HTTP Security Headers
Must-Have Off-Site Backups
It’s never a good idea to keep your backups on the site itself. With WebARX you have the opportunity to keep off-site backups, but still, be the only one to access them.
- Off-Site Backups
- Only You Have the Access
- Integration with Google Drive
- Set the Desired Frequency Yourself
- Backups are Automated
Alerts and Security Reports
Get alerts on issues which need immediate attention. Set slack and email notifications on all monitoring scans and export full PDF reports for your customers.
- Customize when to receive alerts
- Receive alerts on slack
- Receive alerts on email
- Send alerts to alternative emails
- Generate full security reports (PDF)
- Customize reports with your company logo
- Create weekly reports
Go at WebARX on Your Own
- Sign up for a 14-day FREE Trial. (Note: You are required to put in payment information.).
- Add your website(s).
- From your WebARX dashboard, click Setup Plugin.
Note: Every website is unique and sometimes auto-installation will not work for many reasons. We recommend that you download the plugin and add it to your site(s) manually, rather than using the Auto-Installation option.
- Download the plugin by clicking the “I want to install the plugin manually” link.
- Click the Download icon.
- WordPress Dashboard > Plugins > Add New > Upload Plugin > Choose File.
- Browse to the location where you downloaded the plugin and double-click it to upload it.
- Click Install Now.
- Click Activate Plugin.
After you’ve added your site, you will get information about monitoring, activity logs, etc. Give WebARX up to 15 minutes to fully populate the dashboard.
If/when an attack is attempted on your website, the firewall logs will also start to populate.
Hardening (Security Configurations)
All of these settings are enabled by default and we leave them that way. We’ve included some notes for some of the settings.
- Disable plugin/theme edit: Many find it annoying to have this turned on, but it’s too simple to just toggle (enabled/disabled) this setting on an as-needed basis. Security over convenience!
- Move logs folder
- Disable WPScan from getting basic information: Simply put, the more information you disclose, the more you leave your website open to being exploited.
- Disable user enumeration
- Hide your WordPress version from WPScan advanced fingerprinting
- Enable activity log
- Disable XML-RPC
While reCAPTCHA should be evaluated on a site by site basis, we really see no downsides to enabling all of the settings in the section.
What’s really awesome about this, is the ability to eliminate any reCAPTCHA plugins that you may have going. Some people even pay for premium reCAPTCHA plugins, so this is potentially a cost-saving solution.
We enable all of these settings, using reCAPTCHA v2 (Invisible), which provides protection without the annoying checkbox.
Note: We have spoken to WebARX and confirmed that reCAPTCHA v3 is on the roadmap. So, for now, be sure to use v2 rather than v3.
- Post comments form
- Login form
- Registration form
- Password reset form
- reCAPTCHA version (invisible/normal): reCAPTCHA v2.
- Site Key / Secret Key: You’ll enter your keys, by following the settings below.
How to get the Site and Secret keys for reCAPTCHA
- Login in to your Google account.
- Go to the reCAPTCHA Admin website.
- Scroll down to the Register a new site section.
- For the Label field, enter your website name.
- Check reCAPTCHA v2 ( or a different reCAPTCHA version you wish to use.
- In the domains field, enter your domain(s).
- Add additional Owners, if you collaborate with others on the management of your website.
- Accept the reCAPTCHA Terms of Service.
- Click Submit.
- You will now see the Site key and Secret key which you will need to copy over to the WebARX plugin or WebARX admin dashboard, then save the settings within WebARX.
Note: If you enable reCAPTCHA within WebARX, be sure to go through your entire website implementation (theme, plugins, files, etc.) and remove any other instances of reCAPTCHA.
We have found reCAPTCHA in the following places, within a WordPress website:
- Elementor > Settings > Integrations >reCAPTCHA.
Firewall (Firewall Settings)
- Enable Firewall: Enabled with the default settings until there is a good reason to change them.
- Firewall user role whitelist: This will differ from website to website, but we recommend only whitelisting what’s chosen by default, at a minimum. Another good option is to go to WordPress > Users and see what roles people have assigned. If, for example, there are no “Author” roles assigned, consider not whitelisting that role until the situation changes. In short, be as restrictive as possible.
Firewall (.htaccess Features)
For anyone using website hosting with NGINX servers, such as Kinsta, these features aren’t needed, and you can simply check the box next to”Disable .htaccess features“.
If you’re using hosting other than Kinsta, please reach out to their support team or your website maintenance/support provider to verify the server technology that’s running.
Note: We spoke to WebARX regarding a feature request to grey out all of the options that relate to .htaccess once the above box is checked. They agree with that request and have added it to their to-do list.
For those not on NGINX servers, we recommend leaving the default settings to start, along with enabling “Prevent image hotlinking“.
Note: Hotlink Protection prevents other websites from directly linking to image files from your website. So, when another website is visited, it cannot load pictures from your website, thus limiting the outbound traffic for your account. All of Cloudflare’s plans include Hotlink Protection, under the Scrape Shield tab. This setting is not enabled by default.
Firewall (IP Whitelist & Blacklist)
We leave this section alone until we have a reason not to.
Login Protection (Login Protection)
Move and rename login page
On websites where there are primarily only higher-profile user roles in play (administrators, editors, shop managers, etc.), enabling this setting is a slam dunk.
For websites with significant user and customer activity (directories, forums, memberships, etc.), we still recommend enabling this setting, but to keep this setting in mind should there be login issues reported.
Bonus: If you typically use a plugin like WPS Hide Login, this setting allows you do remove yet another plugin.
Automatic brute-force IP ban
We recommend enabling this setting and going with the defaults. WebARX will detect attempts being made at guessing passwords and will block the originating IP for a period of time.
Bonus: If you typically use a plugin like WP Limit Login Attempts, this setting allows you do remove yet another plugin.
This will have to be examined on a site-by-site basis. For websites that have customers around the world, for example, it’s probably best to keep this setting off.
Website support should also be taken into consideration, as vendors are often dispersed around the globe. That said, with how easy it is to enable/disable this setting, it might be worth it to leave it disabled until support is needed. Lastly, you should really only be giving access to your staging environment, where security is typically a bit more lax.
Login Protection (Two Factor Authentication)
This setting allows you to further tighten the security of WordPress user accounts.
Note: We’ve reached out to WebARX about adding more information to the Two Factor Authentication area of the user profile. As it is now, this is not very user-friendly, especially for the non-techies that haven’t been exposed to this technology as of yet. WebARX confirmed this is on the roadmap.).
You can enable this setting by doing the following:
- From the WebARX portal or your WordPress dashboard, go to Hardening > Login Protection > Two Factor Authentication.
- Check the Two Factor Authentication box.
- Click Save Settings.
- WordPress dashboard > Users.
- Edit the user that you wish to enable this setting for.
- Check the box to above the QR code, to enable this setting.
- Click Update Profile.
Login Protection (Currently Blocked IP Addresses)
You may have to reference this section when troubleshooting access issues for your website.
Also, you could use this section to identify IP addresses that you could/should block indefinitely, as well as those that you may want to add to your Whitelist.
Login Protection (Whitelisted IP Addresses)
This section is for information purposes only. Use this section to easily identify IP Addresses you’ve chosen to Whitelist in the past.
Cookie Notice (Cookie Notice Settings)
This is a great feature! It eliminates the need for other Cookie Notice solutions like Elementor Popups, Cookie Notice plugins, etc. WebARX allows you to easily implement and style a Cookie Notice that also has scheduling capability. To enable the Cookie Notice in WebARX, please refer to the following:
- From the WebARX portal or your WordPress dashboard, go to Cookie Notice.
- Check the Enable Cookie Notice box.
- Enter message for displaying > Leave as default or adjust as desired.
- Cookie acceptance button text > Leave as default or adjust as desired.
- Background color > Leave as default or adjust as desired.
- Text color > Leave as default or adjust as desired.
- Enable Policy Link > Check the box to enable.
- Enter Policy Text > Leave as default or adjust as desired.
- When to ask user permission again > Choose the desired length of time before asking for confirmation again.
- Background opacity > This sets the transparency of the cookie notice background. (Note: In our screenshot below, we’re showing the default opacity settings.).
- Display WebARX credits > Choose whether you want to show the world that you’re using WebARX. (Note: We’ve given this some serious thought and cannot think of a reason to show the credits. Can’t blame them for trying though.).
Note: If you’ve previously implemented a Cookie Notice solution (Elementor Popup, Cookie Notice plugin, etc.), be sure to remove (or disable) them.
Logs (Cookie Notice Settings)
Nothing to configure here, but we recommend that you take the time to review your logs on a routine basis.
Htaccess Backup (Backup / Restore / Reset)
This section can be ignored if you’re on NGINX servers. Even if you’re not, this section can mostly be ignored.
Backup (Google Drive)
We always preach to website owners about having multiple backup solutions, with completely separate vendors (website hosting company, backup plugin, etc.). This is a really nice feature from WebARX that provides a simple way to add an extra location for your website. Google Drive provides up to 15 GB for FREE, on the Personal plan.
Set Up Google Drive Backup
- Click Connect to Google Drive.
- Choose a Google account to authenticate with.
- Choose to allow WebARX to access your Google Drive.
- Configure your desired settings (or leave the defaults) and off you go!
If you ever want to discontinue the backups, simply click the Disable Backups button within WebARX. While you should obviously trust WebARX at this point, do note that “Disable Backups” does not remove the authentication from your Google Account.
Remove WebARX Authentication From Your Google Account
- Log into the security area of your Google account.
- Locate the Third-party apps with account access section.
- Click the Manage third-party access link.
- Locate the Signing in with Google section.
- Click on WebARX.
- Click Remove Access.
- Click Ok.
Tip: While you’re there, you should probably give your Google account a quick audit. After all, we are discussing security, right?
Ideally, you shouldn’t have to mess with this area unless you are experiencing issues connecting/verifying your license with WebARX servers.
Add More Sites to WebARX
- Enter the website URLs as directed.
- Click Add Websites.
- Click Close.
- Repeat the steps in the Install WebARX section.
- Configure the settings for your newly-added website, using the Hardening tab. (Important: At this time, WebARX will by default, check these boxes for settings, but the settings aren’t actually activated. For the settings, you wish to set, be sure to uncheck them, check them back on, and then save. We’ve contacted WebARX about this.).
Manage Sites Using Your WebARX Dashboard
Once websites are activated with WebARX, you can easily manage them from your dashboard, as if you were logged into your website.
- Log into your WebARX Dashboard.
- Click on the desired website.
- Review your logs or make settings changes and have them instantly kick in on your website.
If We Manage WebARX for You
This one is pretty simple. If you would rather focus on building your business rather than worry about managing WebARX or website maintenance in general, you can sign up for our Professional Website Maintenance plan.
If you’ve already got your website maintenance under control, we can install and configure WebARX for you, under our hourly support.
Let's empower others. Share the knowledge.