We are highly confident that your website is a great asset to your business, and that’s why it’s IMPERATIVE to keep it safe! But the thing is, securing one WordPress site may require a lot of time and technical knowledge. However, that’s not the case if you are using iThemes Security plugin for your ultimate WordPress security.
When we first installed iThemes Security, we were AMAZED of how easy can be securing one WordPress website. We are talking about just clicking a few buttons and no technical knowledge whatsoever.
iThemes Security is formerly known as Better WP Security. Today it is one of the TOP WordPress security plugins with many positive reviews and ratings.
The plugin surely didn’t fail to leave a good first impression. But how well can you be protected using iThemes Security plugin and what are its supported features? Read further and you will find the answer.
iThemes Security Installation And Basic Configuration
When you install iThemes security for the first time (just like any other plugin from your WP Admin -> Plugins -> Add New -> Search for iThemes Security), you will get a blue notification telling you to Get Free API Key. Click on that button.
Figure 1. iThemes Security notification on first time run
When the new window appears, make sure to put your email address and click on Save Settings.
Figure 2. Network Brute Force Protection
It will lead you to the iThemes Settings where you can make some further security enhancements.
Figure 3. Security features iThemes Security
Security Check
First, click on Security Check -> Configure Settings. From here you need to click on Secure Site, to perform a basic security check and secure your site.
Figure 4. Perform security check
Figure 5. Completed security check
Global Settings
Close this window and move to Global Settings -> Configure Settings. The default settings here can be good enough, but feel free to adjust something that seems not right for you. For example, we don’t want the Security menu in the admin bar so we will turn it off from here by clicking on Hide Security Menu in Admin Bar.
Figure 6. Global Settings
404 Detection
Next, you need to enable 404 detection. The 404 detection mechanism looks at a user who is hitting a large number of non-existent pages and getting a large number of 404 errors (in case the hacker is using SQL injections to deface your site).
Figure 7. 404 Detection feature
You can further configure this 404 feature by clicking on the Configure Settings button and make the changes.
Figure 8. 404 configurations
Utilize “Away Mode” (optional)
This feature makes the admin login inaccessible for an amount of time you set (for example if we won’t be working on New Year, we will protect the login access during these 2-3 days).
The “away mode” is an optional feature and you can use it ONLY if you specifically need to.
Figure 9. “Away mode” configurations
Banned Users
With this feature, you can block specific IP addresses from accessing your website. You can just put the IP in the Ban Hosts textarea and forbid a user to visit your website.
Figure 10. Banned users
Local Brute Protection
This feature allows you to enable login limits for those who would try to “guess” your admin password. After specific number of attempts, the user will be permanently banned from accessing your site.
Figure 11. Local brute force protection
Note: For the last option – Automatically ban “admin” user, you can check it only after you’ve changed your username “admin” to something else (which need to be changed NOW, if you haven’t done it by this point!).
Database Backups
The Database Backups feature allows you to have scheduled backups of your database in case something unexpected happened. This is a really nice feature for protecting your website where you can set the location of your database backups, the backup interval etc. However, we have a complete backup section in our Academy for this issue, so don’t bother with this feature at this moment.
Figure 12. Configuring the backups
File Change Detection
By enabling this feature, you will be alerted what files have been changed in your WP installation without your knowledge.
Figure 13. File change detection
File Permissions
You need to check the permissions of the important WordPress files. With this feature, you can see the details of important files, and you can change if some file permission is vulnerable.
Figure 14. Check File Permissions
Network Brute Force Protection
Network brute force protection takes the local brute protection a step further by banning users who have tried to break into other sites from breaking into yours. By generating the free API key at the beginning, you have automatically enabled this feature.
SSL
If your site accepts on-site payments, you need to secure your site with SSL. By using this feature you can configure your SSL to ensure smooth and secure communications between browsers and the server.
Strong Password Enforcement
With Strong Passwords feature, you can force your users to have strong passwords when registering.
Figure 15. Ensuring strong passwords for your users
System Tweaks
In this feature, there are some advanced settings that may be utilized to further strengthen the security of your WordPress site. Here we will just select 3 security metrics:
- Protect System Files
- Disable Directory Browsing
- Disable PHP in Uploads
Other features can be left unchecked because they can make plugin conflicts.
Figure 16. System tweaks
WordPress Tweaks
In this feature, there are also more advanced WordPress settings to further strengthen the security of your site. From here we can enable a few options:
- Reduce Comment Spam (although later in our Academy we will cover the spam problem in depth)
- Force users to choose a unique nickname
- Disables a user’s author page if their post count is 0.
Figure 17. WordPress tweaks
WordPress Salts
Changing WordPress Salts is more after-hack measurement, but if you want to remove the stored users’ cookies, you can choose to Change WordPress Salts. Everyone will be logged out and will need to log-in again.
Figure 18. Changing the WordPress Salts
Admin User
This feature removes users with a username of “admin” or a user ID of “1”. Use this feature with caution! If you have “admin” username, make a database backup first, create a new different username (assign the existing posts to that username) and then run this tool.
Figure 19. Changing the “admin” username
Change WordPress Database Table Prefix
If your database has the default wp_ prefix, this feature will change the default prefix of your database to something random like ex8l1_
Figure 20. Easily change the database prefix
That’s pretty much everything that needs to be configured in iThemes Security plugin to enhance the security of your website.
Troubleshoot: If you can’t find the latest features that we mentioned in this lesson, make sure to select All at the top.
Figure 21. All iThemes All features
Pros And Cons Of iThemes
| Pros | Cons |
|
|
Final Words
We can say that this plugin is one of the most user-friendly plugins for ensuring the excellent security for your site. iThemes Security is ideal for beginners and non-technical users, and that’s why it is getting a high score from us. Also, it is free to use, and the features that the plugin provides are a lot satisfactory.
We mention in the Cons that iThemes servers get recently hacked (September 2014), but we know that the iThemes guys by now have learned their lesson, and now everything is back to normal. Another indicator that even with security plugin on your site you need to keep your eyes wide open – all the time.
So in our opinion, this plugin with the combination of your super “security intelligence” that you’ve gained so far is a complete winner.
