The Memberships > Settings > Security admin page is a central hub for all security-related settings in PMPro. Use this screen to have better control and visibility over your membership site’s security measures, such as:
- Be sure you are using one or more recommended anti-spam methods, including reCAPTCHA, the Akismet Integration, throttling checkout submissions to prevent spam, and more.
- Reflect whether your have an active DNS firewall in place. This screen validates if Cloudflare’s free DNS Firewall service is present. We strongly recommend this for all membership sites.
- Confirm if your site is using one of our recommended WordPress security plugins. If none are installed, we show a notice to install the free and open source MalCare plugin.
Table of contents
From the dashboard, go to Memberships > Settings and select Security. Below is a list of the settings on this screen:
Spam Protection
To protect your site from spam, it’s recommended to set up several spam protection methods. Below are the options you can configure:
- Akismet Integration: The Akismet Integration for Paid Memberships Pro uses the same spam filters as the Akismet plugin to prevent membership checkout form abuse. This requires both the Akismet plugin and the Akismet Integration for PMPro.
- Checkout Spam Protection: Choose whether to enable spam protection at checkout.
- With this setting enabled, the plugin will automatically block checkout for any IP address with more than checkout 10 failures within 15 minutes. Click here for more support combating checkout spam.
- Use reCAPTCHA?: Select whether to use reCAPTCHA for spam protection.
- A free reCAPTCHA key is required, and you can choose between v2 (Checkbox) and v3 (Invisible). Adjust the reCAPTCHA keys and version in the settings.
- Use CloudFlare Turnstile?: Select whether to use CloudFlare Turnstile for spam protection.
- A free Turnstile account is required. After creating your Turnstile account, enter your Turnstile Site Key and Turnstile Secret Key.
HTTPS Settings
Ensure that your site uses HTTPS to secure communication:
- Force SSL: Decide whether to force SSL across your site. This is recommended to ensure all communications are encrypted.
- If your site URL starts with
https://, this option ensures your entire site is served over HTTPS. If your site experiences redirect loops, you can enable JavaScript redirects.
- If your site URL starts with
- Extra HTTPS URL Filter: Pass all generated HTML through a URL filter to add HTTPS to URLs used on secure pages.
- Enable this if you’re using SSL and encountering warnings on checkout pages.
DNS Firewall
DNS firewalls like Cloudflare provide distributed denial of service (DDoS) protection, improve page speed by delivering content via a global CDN, and include a web application firewall to block malicious traffic and vulnerabilities.
- Cloudflare: Shows whether the free Cloudflare DNS firewall is active or not detected.
WordPress Security Plugins
Security plugins are designed to protect additional layers of protection for your WordPress site.
This section detects whether your site is using one of our recommended WordPress Security plugins. If your site is running multiple security plugins, please consider deactivating one to avoid conflicts and improve site performance.
- MalCare: Our most recommended security plugin. MalCare offers real-time threat detection, firewalls, and performance optimization. If not installed, you can click to install it.
- Other Security Plugins: This page also detects if you are using other security plugins including Wordfence and Solid Security.
