kmarusek

Hey there,

Thanks for your patience while we got this sorted out. I can confirm that the issue with Notification Center settings not saving correctly has been resolved in the latest release — Solid Security 9.3.9.

If you’re still seeing problems after updating, try clearing any site/server cache and give it another go. But this fix should take care of things.

Appreciate everyone who reported this and helped us track it down!

Best,
Kevin
SolidWP Support

Hi @lohanelbt ,

The “invalid JSON” error paired with a 524 timeout usually points to a conflict with caching or scheduled tasks timing out. While a previous issue on our end did cause this for some users, that has since been resolved — and based on current support volume, it appears the issue is now limited to isolated cases.

Here’s what I recommend:

1. Clear all plugin, server, and CDN-level caches, including page caching and your browser cache.
2. Clear all site transients — you can use a plugin like WP Optimize, or run wp transient delete --all via WP-CLI if you’re comfortable with the command line.
3. In Solid Security, go to Security > Debug, then click the Schedule tab and use the Reset button to refresh all scheduled tasks.
4. Double-check your Google Analytics code, if present. We’ve had one report where a malformed GA script was interfering with scan completion and returning invalid JSON.

After running through these steps, please give the system 1–2 days to complete a new scan. Let us know how it goes — happy to dig in further if the error persists.

Best,
Kevin
SolidWP Support

Great question @davidefiorio !

The “Disable PHP in Plugins” and “Disable PHP in Themes” settings in Solid Security block direct access to PHP files inside those folders. This helps prevent malicious scripts from running if one were ever uploaded — it’s a useful hardening step.

That said, some themes and plugins need PHP files to be directly accessible. If you notice missing images or broken functionality when these settings are enabled, it’s often because of this block. Disabling the setting lifts that restriction, allowing your trusted plugins and themes to work normally again.

You can read more in our official documentation here:
👉 System Tweaks – PHP Execution settings

If everything is working properly after adjusting the settings, I’ll go ahead and mark this thread as resolved in a day or two — just reply back if you still have questions!

Best,
Kevin
SolidWP Support

Hi there,

Thanks for reaching out!

Currently, there isn’t a filter or setting available to extend the expiration time of 2FA email codes. If the emails are arriving too late to be usable, it likely points to a delay on the mail server or email provider’s side.

You might want to look into your SMTP service or contact your email provider to check for delays or throttling. Alternatively, we recommend switching to a more reliable method like mobile-based 2FA (using an authenticator app), which doesn’t depend on email delivery and tends to be faster and more secure.

Let me know if you need help switching 2FA methods. Be sure to follow the document on 2FA here:
https://solidwp.com/documentation/security/how-it-works/solid-security-two-factor-authentication-2fa-settings-guide/

Best,
Kevin
SolidWP Support

Hi there,

Thanks for your question!

Unfortunately, Solid Security doesn’t currently offer a way to allow only specific plugins or endpoints to access the REST API — it’s either restricted or open across the board. The “Restricted Access” setting limits access to logged-in users only, but it doesn’t allow for granular whitelisting by plugin or request type.

If Yoast SEO relies on the REST API to fetch category data, the best option for compatibility is to leave REST API access open or use the “Default Access” option, as you’ve discovered.

We definitely understand the desire for tighter control, and I’ll flag this with the team as a feature request for more granular REST API controls.

Best,
Kevin

Hi there,

You’re right — this does sound like the same .htaccess overwrite issue discussed in the thread you linked. This usually happens when multiple plugins or tools are writing to .htaccess, and the Solid Security rules get overwritten.

To resolve this going forward:

1. Restore a clean .htaccess by going to WP Admin > Settings > Permalinks and clicking “Save.”
2. Manually re-add any missing Solid Security rules if needed. You can regenerate them by toggling the related features off and on, or copy them directly from this guide:
   👉 What rules are enforced by the .htaccess file in Solid Security Pro?
3. If you’re using a tool like cPanel, LiteSpeed, or a redirect plugin, double-check for any automatic .htaccess changes that might be overwriting rules.
4. To avoid repeat issues, try to limit how many tools or plugins are modifying .htaccess dynamically.

That should give you everything you need to bypass and prevent this in the future.

I know this issue is still elusive and we’ve yet to replicate it on our side, but I’ll go ahead and flag it with the team tomorrow so we can take another look internally.

Hi there,

Thanks for reaching out!

If you’re looking to offer your customers the ability to set up two-factor authentication (2FA), this can absolutely be done. In the free version of Solid Security, you can enable 2FA by going to Security > Settings > Features > Login Security > Two-Factor.

Once enabled, users will see the option to set up their own 2FA under WP Admin > Users > Profile.

If you’re looking for more advanced control — such as enforcing 2FA for specific user roles, customizing methods, or managing enforcement policies — these options are available in Solid Security Pro.

Let us know if you’d like guidance on enabling it or directing users to their setup page.

Hi there,

Thanks for the info, and good catch on that notice!

The fix for this issue was included in version 9.3.5 (released November 19, 2024), so it should have resolved the PHP notice about translations loading too early.

Since you’re already on the latest version and still seeing the notice, it might be caused by a conflict with another plugin or your theme loading the plugin’s textdomain too early.

Here are a couple of things you can try:

• Temporarily switch to a default theme (like Twenty Twenty-Five) to see if the notice persists.
• Disable other plugins one by one to rule out conflicts.
• Make sure no custom code is calling translation functions before the init hook.

If none of that helps, please share your full debug.log entry and your plugin version again so we can investigate further.

Thanks for your patience!