MyListing Club

Protect Your MyListing Website With WebARX

Building better MyListing websites. One code snippet at a time.

Guide Contents


Our Protect Your MyListing Website with WebARX guide will show you how to configure this plugin for added website security.

As part of a multi-level security approach, the very first thing you should focus on is your website hosting.

We recommend Kinsta hosting for many reasons, including their approach to security and their Security Guarantee.

For those that want to add another layer of security, while potentially eliminating some plugins, WebARX may be for you.

WebARX has a massive feature set that does much more than security, without slowing down your website. 

For this guide, we went through and tested every setting of WebARX, to get an in-depth understanding of the product, rather than just turning it on and expecting it to do everything we need.

We also pulled up our WebARX portal side-by-side with our WordPress dashboard (i.e. WebARX plugin), to ensure consistency across both sides of the product.

WebARX for WordPress Features

Prevent Attacks and Malware

Manage security on all your WordPress sites via one platform. Prevent attacks and malware infections.

  • Managed Web Application Firewall
  • Custom Firewall Rules
  • Plugin Vulnerability Monitoring
  • Up-time and SSL Monitoring
  • Blacklist Monitoring
  • Email and Slack Alerts
  • PDF Security Reports
  • WordPress Hardening
  • 24/7 Security Monitoring
  • 2 Factor Authentication
  • GDPR Cookie and Privacy Policy
  • Plugin Remote Management
  • Website Software Overview
  • User Activity Logging
  • User Management

Prevent Attacks With Firewall

WebARX is mainly known for its advanced Web Application Firewall which is automatically updated to prevent plugin and theme vulnerabilities and can be installed in less than a minute.

  • Block malicious bots, hacking attempts, and countries from accessing your website
  • Prevent malware infections
  • Secure your website from plugin vulnerabilities
  • Protect your website from brute-force attacks
  • Make your own rules with the WebARX firewall engine

24-Hour Monitoring

Gain complete security overview and set up alerts on Slack and Email when immediate attention is required.

Daily security scans and monitoring will give you an in-depth understanding of the state of your websites.

  • Plugin vulnerability monitoring
  • SSL/TLS certificate monitoring
  • Up-time monitoring
  • Blacklist monitoring
  • Domain expiration monitoring

Complete WordPress Hardening

Easily adapt modern security practices such as security headers, 2FA, ReCaptcha, and more.

All security configurations can be done within minutes directly from the WebARX WordPress plugin.

  • Login Rate Limiting
  • GDPR Cookie and Privacy Policy
  • reCAPTCHA & 2 Factor Authentication
  • User Activity Logging
  • HTTP Security Headers

Alerts and Security Reports

Get alerts on issues that need immediate attention.

Set slack and email notifications on all monitoring scans and export full PDF reports for your customers.

  • Customize when to receive alerts
  • Receive alerts on slack
  • Receive alerts on email
  • Send alerts to alternative emails
  • Generate full security reports (PDF)
  • Customize reports with your company logo
  • Create weekly reports

Manage WebARX on Your Own

Install WebARX

  1. Sign up for a 14-day FREE Trial. (Note: You are required to put in payment information.).
  2. Add your website(s).
  3. From your WebARX dashboard, click Setup Plugin.

Note: Every website is unique and sometimes auto-installation will not work for many reasons. We recommend that you download the plugin and add it to your site(s) manually, rather than using the Auto-Installation option.

  1. Download the plugin by clicking the “I want to install the plugin manually” link.
  1. Click the Download icon.
  1. WordPress Dashboard > Plugins > Add New > Upload Plugin > Choose File.
  2. Browse to the location where you downloaded the plugin and double-click it to upload it.
  3. Click Install Now.
  4. Click Activate Plugin.

After you’ve added your site, you will get information about monitoring, activity logs, etc. Give WebARX up to 15 minutes to fully populate the dashboard.

If/when an attack is attempted on your website, the firewall logs will also start to populate.

Configure WebARX

Hardening (Security Configurations)

All of these settings are enabled by default and we leave them that way.

We’ve included some notes for some of the settings.

  • Disable plugin/theme edit: Many find it annoying to have this turned on, but it’s too simple to just toggle (enabled/disabled) this setting on an as-needed basis. Security over convenience!
  • Move logs folder
  • Disable WPScan from getting basic information: Simply put, the more information you disclose, the more you leave your website open to being exploited.
  • Disable user enumeration
  • Hide your WordPress version from WPScan advanced fingerprinting
  • Enable activity log
  • Disable XML-RPC

Hardening (reCAPTCHA)

While reCAPTCHA should be evaluated on a site by site basis, we really see no downsides to enabling all of the settings in the section.

What’s really awesome about this, is the ability to eliminate any reCAPTCHA plugins that you may have going. 

Some people even pay for premium reCAPTCHA plugins, so this is potentially a cost-saving solution.

We enable all of these settings, using reCAPTCHA v2 (Invisible), which provides protection without the annoying checkbox.

Note: We have spoken to WebARX and confirmed that reCAPTCHA v3 is on the roadmap. So, for now, be sure to use v2 rather than v3.

  • Post comments form
  • Login form
  • Registration form
  • Password reset form
  • reCAPTCHA version (invisible/normal): reCAPTCHA v2.
  • Site Key / Secret Key: You’ll enter your keys, by following the settings below.

​How to get the Site and Secret keys for reCAPTCHA

  1. Log into your Google account.
  2. Go to the reCAPTCHA Admin website.
  3. Scroll down to the Register a new site section.
  4. For the Label field, enter your website name.
  5. Check reCAPTCHA v2 (or a different reCAPTCHA version you wish to use.
  6. In the domains field, enter your domain(s).
  7. Add additional Owners, if you collaborate with others on the management of your website.
  8. Accept the reCAPTCHA Terms of Service.
  9. Click Submit.
  10. You will now see the Site key and Secret key which you will need to copy over to the WebARX plugin or WebARX admin dashboard, then save the settings within WebARX.

Note: If you enable reCAPTCHA within WebARX, be sure to go through your entire website implementation (theme, plugins, files, etc.) and remove any other instances of reCAPTCHA.

We have found reCAPTCHA in the following places, within a MyListing website:

  • Listings > Settings > reCAPTCHA.
  • Elementor > Settings > Integrations >reCAPTCHA.

Firewall (Firewall Settings)

  • Enable Firewall: Enabled with the default settings until there is a good reason to change them.
  • Firewall user role whitelist: This will differ from website to website, but we recommend only whitelisting what’s chosen by default, at a minimum. Another good option is to go to WordPress > Users and see what roles people have assigned. If, for example, there are no “Author” roles assigned, consider not whitelisting that role until the situation changes. In short, be as restrictive as possible.

Firewall (.htaccess Features)

For anyone using website hosting with NGINX servers, such as Kinsta, these features aren’t needed, and you can simply check the box next to”Disable .htaccess features“.

If you’re using hosting other than Kinsta, please reach out to their support team or your website maintenance/support provider to verify the server technology that’s running.

Note: We spoke to WebARX regarding a feature request to grey out all of the options that relate to .htaccess once the above box is checked. They agree with that request and have added it to their to-do list.

For those not on NGINX servers, we recommend leaving the default settings to start, along with enabling “Prevent image hotlinking“. 

Note: Hotlink Protection prevents other websites from directly linking to image files from your website. So, when another website is visited, it cannot load pictures from your website, thus limiting the outbound traffic for your account. All of Cloudflare’s plans include Hotlink Protection, under the Scrape Shield tab. This setting is not enabled by default.

Country Blocking

This is a very cool feature and for ease of use, we recommend the Inversed Check option.

That way, all you need to do is specify the countries you want to visit your website.

For those that are using Cloudflare, similar functionality is available, but with WebARX you can select unlimited countries and the interface is slightly more user-friendly

Firewall (IP Whitelist & Blacklist)

We recommend leaving this section alone until you have a reason not to.

You want to be careful to not block entities that do need to access your website and you want to avoid giving explicit access to your website when it’s not actually needed.

Login Protection (Login Protection)

Move and rename login page
On websites where there are primarily only higher-profile user roles in play (administrators, editors, shop managers, etc.), enabling this setting is a slam dunk.

For websites with significant user and customer activity (directories, forums, memberships, etc.), we still recommend enabling this setting, but to keep this setting in mind should there be login issues reported.

Bonus: If you typically use a plugin like WPS Hide Login, this setting allows you to remove yet another plugin.

Automatic brute-force IP ban
We recommend enabling this setting and going with the defaults.

WebARX will detect attempts being made at guessing passwords and will block the originating IP for a period of time.

Bonus: If you typically use a plugin like WP Limit Login Attempts, this setting allows you to remove yet another plugin.

Login Hours
This will have to be examined on a site-by-site basis.

For websites that have customers around the world, for example, it’s probably best to keep this setting off.

For MyListing websites, this setting will rarely, if ever, be enabled.

Website support should also be taken into consideration, as vendors are often dispersed around the globe.

That said, with how easy it is to enable/disable this setting, it might be worth it to leave it disabled until support is needed.

Lastly, you should really only be giving access to your staging environment, where security is typically a bit laxer.

Login Protection (Two Factor Authentication)

This setting allows you to further tighten the security of WordPress user accounts.

Note: We’ve reached out to WebARX about adding more information to the Two Factor Authentication area of the user profile. As it is now, this is not very user-friendly, especially for the non-techies that haven’t been exposed to this technology as of yet. WebARX confirmed this is on the roadmap.).

You can enable this setting by doing the following:

  1. From the WebARX portal or your WordPress dashboard, go to Hardening > Login Protection > Two Factor Authentication.
  2. Check the Two Factor Authentication box.
  3. Click Save Settings.
  4. WordPress dashboard > Users.
  5. Edit the user that you wish to enable this setting for.
  6. Check the box above the QR code, to enable this setting. 
  7. Click Update Profile.

Login Protection (Currently Blocked IP Addresses)

You may have to reference this section when troubleshooting access issues for your website. 

Also, you could use this section to identify IP addresses that you could/should block indefinitely, as well as those that you may want to add to your Whitelist.

Login Protection (Whitelisted IP Addresses)

This section is for information purposes only. Use this section to easily identify IP Addresses you’ve chosen to Whitelist in the past.

Cookie Notice (Cookie Notice Settings)

This is another great feature, allowing you to eliminate other Cookie Notice solutions like Elementor Popups, Cookie Notice plugins, etc.

WebARX allows you to easily implement and style a Cookie Notice that also has scheduling capability.

To enable the Cookie Notice in WebARX, please refer to the following:

  1. From the WebARX portal or your WordPress dashboard, go to Cookie Notice.
  2. Check the Enable Cookie Notice box.
  3. Enter message for displaying > Leave as default or adjust as desired.
  4. Cookie acceptance button text > Leave as default or adjust as desired.
  5. Background color > Leave as default or adjust as desired.
  6. Text color > Leave as default or adjust as desired.
  7. Enable Policy Link > Check the box to enable.
  8. Enter Policy Text > Leave as default or adjust as desired.
  9. Enter Policy Link > Paste in the URL of your Privacy Policy.
  10. When to ask user permission again > Choose the desired length of time before asking for confirmation again.
  11. Background opacity > This sets the transparency of the cookie notice background. (Note: In our screenshot below, we’re showing the default opacity settings.).
  12. Display WebARX credits > Choose whether you want to show the world that you’re using WebARX. (Note: We’ve given this some serious thought and cannot think of a reason to show the credits. Can’t blame them for trying though.).

Note: If you’ve previously implemented a Cookie Notice solution (Elementor Popup, Cookie Notice plugin, etc.), be sure to remove (or disable) them.


Nothing to configure here, but we recommend that you take the time to review your logs on a routine basis.

.htaccess Backup (Backup / Restore / Reset)

This section can be ignored if you’re on NGINX servers. Even if you’re not, this section can mostly be ignored.


Ideally, you shouldn’t have to mess with this area unless you are experiencing issues connecting/verifying your license with WebARX servers.

Add More Sites to WebARX

  1. Log into your WebARX Dashboard.
  2. Click on the +Add new websites link.
  1. Enter the website URLs as directed.
  2. Click Add Websites.
  3. Click Close.
  4. Repeat the steps in the Install WebARX section.
  5. Configure the settings for your newly-added website, using the Hardening tab. (Important: At this time, WebARX will by default, check these boxes for settings, but the settings aren’t actually activated. For the settings, you wish to set, be sure to uncheck them, check them back on, and then save. We’ve contacted WebARX about this.).

Manage Sites Using Your WebARX Dashboard

Once websites are activated with WebARX, you can easily manage them from your dashboard, as if you were logged into your website.

  1. Log into your WebARX Dashboard.
  2. Click on the desired website.
  3. Review your logs or make settings changes and have them instantly kick in on your website.