![DoorGrow-Logo_Horizontal-1.png]](https://help.doorgrow.com/hs-fs/hubfs/DoorGrow-Logo_Horizontal-1.png?height=40&name=DoorGrow-Logo_Horizontal-1.png){kind=logo}
How to Harden Security on Your DoorGrow-Hosted WordPress Site
Your hosting is already secure. Here's how to take it a step further with two free plugins.
Your site is already protected. DoorGrow's hosting platform includes server-level security out of the box — brute force attack prevention, locked-down core WordPress files, nightly backups, managed WordPress updates, and free malware cleanup if an infection is ever detected. Most sites don't need anything beyond what's already in place.
That said, if you want an extra layer of protection and visibility into what's happening on your site, the two steps below will add a firewall, malware scanning, and a complete activity log — all using free, lightweight plugins that are fully compatible with our hosting platform.
Step 1: Install Wordfence (Security & Firewall)
Wordfence is the most widely used WordPress security plugin, with over 5 million active installations. The free version adds a firewall that filters malicious traffic, a malware scanner that checks your files for suspicious code, brute force login protection, and two-factor authentication.
To install: Go to Plugins > Add New, search for "Wordfence Security," click Install Now, then Activate. Wordfence will walk you through a brief setup wizard.
Recommended Settings
Scan type: Keep it on "Standard" (the default). This is thorough enough to catch problems without being resource-heavy.
Scan schedule: Leave at the default interval. No need to increase the frequency.
Live Traffic: Keep this set to "Security-related traffic only" (the default). Switching it to "All traffic" will log every single visit and can slow your site down significantly.
Firewall: The Web Application Firewall (WAF) runs in the background and blocks malicious traffic. It works well out of the box. If you ever experience 403 errors when saving changes in your page builder or other tools, temporarily switch the firewall to Learning Mode — this lets Wordfence observe your normal activity and stop flagging it as suspicious.
Rate limiting: If you need rate limiting, we recommend setting it up through Cloudflare rather than Wordfence, since Cloudflare handles it at the network level without using your site's resources.
False Positives to Ignore
After running your first scan, you'll likely see warnings for these files:
- wp-admin/includes/file.php
- wp-admin/includes/upgrade.php
- wp-settings.php
These are false positives and are safe to ignore. Our hosting platform intentionally locks down these WordPress core files for security, which causes Wordfence to flag them as "modified." Select Ignore > Always ignore to dismiss them.
If the scanner finds something that looks genuinely malicious, contact our support team and we'll run an in-depth scan for you.
Step 2: Install Simple History (Activity Log)
Simple History is a lightweight activity log plugin that tracks who did what on your site and when. It records user logins, post and page edits, plugin activations and deactivations, settings changes, failed login attempts, and more.
This is especially useful if multiple people have access to your site. If something breaks or looks different, you can check the log and trace it back to the specific change and the person who made it.
To install: Go to Plugins > Add New, search for "Simple History," click Install Now, then Activate.
That's it — no configuration needed. Simple History starts tracking activity immediately after activation. You can view the log from your WordPress dashboard or from the Simple History menu item in the admin sidebar.
That's It
With these two plugins installed, your site now has:
- Server-level security from our hosting platform (already in place)
- A firewall and malware scanner from Wordfence
- A complete activity log from Simple History showing who did what and when
If you have any questions or run into issues, reach out to our support team and we'll be happy to help.