You already have enterprise-grade infrastructure protection through Kinsta’s native security features via isolated containers, a Cloudflare Enterprise WAF, SOC 2 Type II compliance, and mandatory MyKinsta Two-Factor Authentication (2FA).

However, infrastructure security forms only half the equation. WordPress security workflows are necessary to halt the sophisticated attacks that target the platform directly to exploit plugin vulnerabilities and compromise your credentials.

This guide demonstrates how to build the security workflows that leverage Kinsta’s native capabilities while implementing some essential WordPress-level protections.

Two-Factor Authentication (2FA) for administrators, clients, and staff

Kinsta mandates 2FA for MyKinsta access, which is a great start in securing your hosting infrastructure. This protects server configurations, billing, deployment tools, and everything you use to manage your servers and sites.

The MyKinsta dashboard showing the Authenticator panel within the User Settings. There are also panels for connecting to Git and for SSH keys.
The Authenticator panel within the MyKinsta dashboard.

However, WordPress operates independently. For instance, attackers targeting wp-login.php will bypass MyKinsta entirely. Even with locking down Kinsta’s infrastructure, valid WordPress credentials grant immediate site access to whoever has them without additional verification.

The distinction proves critical: MyKinsta 2FA protects hosting account access (SSH, staging, backups, and more), while WordPress 2FA protects any content management access. As such, you need both layers to protect the entirety of your site.

Implementing WordPress 2FA alongside Kinsta’s infrastructure protection

Using a plugin to add 2FA for your website is an almost necessary step. There are lots of options available from some of the leading developers in WordPress. The first option is Two-Factor, from the WordPress.org team.

The Two-Factor plugin header image from WordPress.org showing a close up of a greyscale key on a light grey background.
The Two-Factor plugin logo.

It’s a straightforward solution that provides Time-Based One-Time Passwords (TOTP), FIDO Universal 2nd Factor (U2F), email codes, and even a dummy setup for testing. There are also a host of actions and filters for greater integration.

For other options, you have a host of solutions:

  • You can configure the WP 2FA plugin from Melapress to enforce 2FA for all user roles while offering grace periods for onboarding. The plugin supports TOTP apps (such as Google Authenticator and Authy), email codes, and backup methods. Premium functionality adds trusted devices and white labeling.
  • Wordfence Login Security is a spin-off of the core plugin, providing standalone authentication without the full security suite. It remembers devices for 30 days and includes reCAPTCHA v3. The plugin also works with custom login pages and XML-RPC, which is critical for mobile apps and remote publishing.
  • The miniOrange SSO plugin is great for enterprise environments as it connects WordPress to identity providers such as Azure AD, Google Workspace, and Okta. Directory groups also map to WordPress roles automatically, so marketing gets Editor access, support receives Contributor privileges, and so on.

What’s more, these plugins are all free and have rapid setup times.

Setting up real-time alerts using webhooks and monitoring

Kinsta provides infrastructure monitoring as a core service: uptime checks every three minutes from ten global locations, performance anomaly detection, and email notifications for outages. There’s also the Activity Log that tracks all administrative actions with timestamps and user attribution.

Even so, WordPress-level events need additional monitoring and logging to complement Kinsta’s infrastructure oversight.

The WP Activity Log plugin header image from WordPress.org.
The WP Activity Log plugin header image from WordPress.org.

Melapress provides an excellent solution here with WP Activity Log. It captures WordPress-specific events with minimal performance impact on Kinsta’s optimized environment.

Using the plugin, you can configure alerts for critical security events such as new user creation, failed login attempts, plugin or theme installations, and even core file modifications.

Using webhooks, you can even connect alerts to your team’s workflow tools. For example, if you create a Slack incoming webhook, you can then configure WP Activity Log to send structured notifications:

{
  "event_type": "user_privilege_escalation",
  "severity": "critical",
  "user_affected": "[email protected]",
  "role_change": "editor_to_administrator",
  "timestamp": "2025-08-10T14:30:00Z",
  "site": "client-production.kinsta.cloud"
}

The payload will identify the user taking the action and let you assess and respond fast. Further to this, you could implement some other tools to assist with your security monitoring:

  • Main WP aggregates security events across your portfolio so you can deploy it on a dedicated Kinsta site to monitor all of your sites. The Activity Log extension forwards events to SIEM platforms for enterprise security operations.
  • Patchstack provides vulnerability monitoring with real-time alerts. When vulnerabilities affect your sites, you receive immediate notification with remediation guidance. Testing patches is a great use case for Kinsta’s staging environments before production deployment.

When configuring your log retention, start with 30 days for GDPR, 90 days for PCI DSS, and one year for HIPAA. For long-term retention, it’s also a good idea to export logs to Google Cloud Storage.

Using WP-CLI and Kinsta to audit your security

Every Kinsta environment includes WP-CLI pre-installed and accessible through SSH. This enables rapid security auditing and emergency response, which would otherwise take hours through other interfaces.

The WordPress Developer Resources for WP-CLI can help you build systematic audits through leveraging specific commands. For instance, the wp user list command filters by role, while database queries find temporal patterns:

#!/bin/bash
# Monthly user security audit
echo "=== Administrator Accounts ==="
wp user list --role=administrator --fields=ID,user_login,user_email --format=table
echo "=== Recently Created Users ==="
wp db query "SELECT user_login, user_registered FROM wp_users 
WHERE user_registered > DATE_SUB(NOW(), INTERVAL 30 DAY)"

The script identifies security risks in your user base, such as unauthorized admin accounts and suspicious user creation patterns.

Using the wp core verify-checksums command, you can check WordPress core files against official checksums. This detects unauthorized modifications that could indicate a compromise:

#!/bin/bash
# Daily integrity check
core_check=$(wp core verify-checksums 2>&1)
if echo "$core_check" | grep -v "Success"; then
  echo "Alert: Core files modified"
  # Send notification to team
fi

However, when compromise does occur on rare occasions, you can implement a lockdown script to neutralize threats while preserving the evidence:

#!/bin/bash
# Emergency lockdown script

# Step 1: Preserve evidence
echo "Creating forensic backup..."
wp db export emergency_backup.sql
tar czf site_snapshot.tar.gz ~/public

# Step 2: Block public access
echo "Enabling maintenance mode..."
wp maintenance-mode activate

# Step 3: Revoke admin privileges
echo "Removing administrative access..."
wp user list --role=administrator --field=ID | while read userid;
do
  wp user set-role $userid subscriber
  echo "Revoked admin: User ID $userid"
done

# Step 4: Force re-authentication
echo "Invalidating all sessions..."
wp config shuffle-salts

Each step serves a specific purpose: it preserves evidence of the breach for investigation, prevents access to stop any further damage, revokes privileges to neutralize the threat, and invalidates the session to force re-authentication.

Multisite oversight with MyKinsta and external dashboards

Managing dozens of WordPress sites often requires you to combine MyKinsta’s infrastructure controls with WordPress management platforms. MyKinsta offers bulk actions such as updates, backups, and cache clearing across your entire portfolio (backed up by the Activity Log).

The MyKinsta dashboard interface showing the Plugins update screen for multiple sites. Some plugins have expanded menus showing the status of that plugin on each site.
MyKinsta’s bulk actions.

Kinsta’s native functionality will be central to your security foundations:

  • Bulk actions for simultaneous operations across sites.
  • Activity logging for comprehensive audit trails.
  • Custom labels for organizing sites by client or security tier.
  • API access for programmatic control.

You can also extend this with other WordPress management platforms:

  • MainWP can provide more to you than simply logging functionality. It can run on your Kinsta plan and help you manage your portfolio as ‘child’ sites. The tool features vulnerability scanning, centralized plugin management, file integrity monitoring, bulk hardening, and additional capabilities.
  • ManageWP operates as a Software as a Service (SaaS) solution for WordPress Multisite and connects through a Worker plugin. Its premium offering adds real-time scanning and white-label reporting.

You might even consider using the Kinsta API to build custom security dashboards. Here’s a simple and barebones way to start it off:

// Kinsta API security monitoring
async function checkSitesSecurity() {
  const response = await fetch('https://api.kinsta.com/v2/sites', {
    headers: {
      'Authorization': `Bearer ${process.env.KINSTA_API_KEY}`
    }
  });

  const sites = await response.json();

  // Check each site's security status
  return sites.map(site => ({
    name: site.name,
    ssl_active: site.ssl?.status === 'active',
    php_current: parseFloat(site.php_version) >= 8.0,
    backup_recent: site.backups?.[0]?.created_at > Date.now() - 86400000
  }));
}

However, when you implement this, you should ensure you watch for key infrastructure security indicators: checking SSL statuses, PHP versions, and backup recency.

Developing client-facing security transparency

Regardless of what you implement, clients want and need evidence that their investment delivers protection. Having a policy of transparency when it comes to your security provision builds trust and justifies the maintenance contracts you have in place.

The structure and presentation of your reports is down to you. However, look to include analytics and metrics to demonstrate both infrastructure and application security. For instance, you can provide infrastructure metrics from Kinsta:

  • Uptime percentage and incident history.
  • DDoS attempts blocked by Cloudflare.
  • SSL certificate status and renewal dates.
  • Backup success rates and availability.
  • PHP version and security patches.

From WordPress, you can grab your metrics:

  • The number of failed login attempts blocked.
  • Vulnerabilities you’ve discovered and patched.
  • Tracking of user privilege changes.
  • File integrity verification results.
  • Security scan outcomes.

Depending on the report you require, including business metrics can also be useful. For example, it might list the revenue you’ve protected during attacks, how you’ve maintained compliance, site availability, and much more.

Some clients may need real-time visibility, which can be simpler to implement than you think. For example, using the WordPress role and capability system, you can create restricted access protocols:

/**
 * Create client security viewer role
 * Based on WordPress Roles and Capabilities documentation
 */

function create_security_viewer_role() {
    remove_role('security_viewer');
    add_role('security_viewer', 'Security Viewer', array(
        'read' => true,
        'view_security_reports' => true,
        'view_activity_logs' => true
    ));
}

add_action('init', 'create_security_viewer_role');

/**
 * Restrict viewer access to sensitive areas
 */

function restrict_viewer_access() {
    $user = wp_get_current_user();

    if (in_array('security_viewer', $user->roles)) {
        $restricted = array('plugins.php', 'themes.php', 'users.php');
        $current = basename($_SERVER['SCRIPT_NAME']);

        if (in_array($current, $restricted)) {
            wp_redirect(admin_url('index.php'));
            exit;
        }
    }
}

add_action('admin_init', 'restrict_viewer_access');

The end result of this implementation creates a Viewer role with limited capabilities. This enables you to offer real-time security monitoring to clients while preventing any critical modifications as they browse.

Summary

Building effective WordPress security workflows on Kinsta needs both infrastructure and application-layer protections.

Kinsta provides the foundation through its isolated container technology, Cloudflare WAF, mandatory 2FA, and monitoring functionality. WordPress-level workflows need additional plugins to fill in the blanks, but a complete security architecture is more than possible.

Some of these tools also integrate seamlessly with Kinsta’s infrastructure. For example, you can have WP-CLI on every server, APIs for automation, and bulk operations for efficiency.

If you’re ready to build enterprise-grade WordPress security workflows, explore Kinsta’s managed WordPress hosting and discover how proper infrastructure makes security manageable at scale.

Jeremy Holcombe Kinsta

Senior Editor at Kinsta, WordPress Web Developer, and Content Writer. Outside of all things WordPress, I enjoy the beach, golf, and movies. I also have tall people problems.