Topic Progress:

ithemes logo webmaxformance

 

We are highly confident that your website is a great asset to your business, and that’s why it’s IMPERATIVE to keep it safe! But the thing is, securing one WordPress site may require a lot of time and technical knowledge. However, that’s not the case if you are using iThemes Security plugin for your ultimate WordPress security.

When we first installed iThemes Security, we were AMAZED of how easy can be securing one WordPress website. We are talking about just clicking a few buttons and no technical knowledge whatsoever.

iThemes Security is formerly known as Better WP Security. Today it is one of the TOP WordPress security plugins with many positive reviews and ratings.

The plugin surely didn’t fail to leave a good first impression. But how well can you be protected using iThemes Security plugin and what are its supported features? Read further and you will find the answer.

 

iThemes Security Installation And Basic Configuration

When you install iThemes security for the first time (just like any other plugin from your WP Admin -> Plugins -> Add New -> Search for iThemes Security), you will get a blue notification telling you to Get Free API Key. Click on that button.

ithemes-blue-notification

Figure 1. iThemes Security notification on first time run

 

When the new window appears, make sure to put your email address and click on Save Settings.

Network-Brute-Force-Protection

Figure 2. Network Brute Force Protection

 

It will lead you to the iThemes Settings where you can make some further security enhancements.

ithemes-secuirity-settings

Figure 3. Security features iThemes Security

 

Security Check

First, click on Security Check -> Configure Settings. From here you need to click on Secure Site, to perform a basic security check and secure your site.

ithemes-security-check

Figure 4. Perform security check

 

secured-website-ithemes

Figure 5. Completed security check

 

Global Settings

Close this window and move to Global Settings -> Configure Settings. The default settings here can be good enough, but feel free to adjust something that seems not right for you. For example, we don’t want the Security menu in the admin bar so we will turn it off from here by clicking on Hide Security Menu in Admin Bar.

ithemes-general-settings

Figure 6. Global Settings

 

404 Detection

Next, you need to enable 404 detection. The 404 detection mechanism looks at a user who is hitting a large number of non-existent pages and getting a large number of 404 errors (in case the hacker is using SQL injections to deface your site).

404-detection

Figure 7. 404 Detection feature

 

You can further configure this 404 feature by clicking on the Configure Settings button and make the changes.

404-configurations

Figure 8. 404 configurations

 

Utilize “Away Mode” (optional)

This feature makes the admin login inaccessible for an amount of time you set (for example if we won’t be working on New Year, we will protect the login access during these 2-3 days).
The “away mode” is an optional feature and you can use it ONLY if you specifically need to.

away-mode

Figure 9. “Away mode” configurations

 

Banned Users 

With this feature, you can block specific IP addresses from accessing your website. You can just put the IP in the Ban Hosts textarea and forbid a user to visit your website.

banned-users

Figure 10. Banned users

 

Local Brute Protection

This feature allows you to enable login limits for those who would try to “guess” your admin password. After specific number of attempts, the user will be permanently banned from accessing your site.

local-brute-protection

Figure 11. Local brute force protection

 

Note: For the last option – Automatically ban “admin” user, you can check it only after you’ve changed your username “admin” to something else (which need to be changed NOW, if you haven’t done it by this point!).

Database Backups

The Database Backups feature allows you to have scheduled backups of your database in case something unexpected happened. This is a really nice feature for protecting your website where you can set the location of your database backups, the backup interval etc. However, we have a complete backup section in our Academy for this issue, so don’t bother with this feature at this moment.

backup-intervals

Figure 12. Configuring the backups

 

File Change Detection

By enabling this feature, you will be alerted what files have been changed in your WP installation without your knowledge.

file-change-detection

Figure 13. File change detection

 

File Permissions

You need to check the permissions of the important WordPress files. With this feature, you can see the details of important files, and you can change if some file permission is vulnerable.

file-permissions

Figure 14. Check File Permissions

 

Network Brute Force Protection

Network brute force protection takes the local brute protection a step further by banning users who have tried to break into other sites from breaking into yours. By generating the free API key at the beginning, you have automatically enabled this feature.

SSL

If your site accepts on-site payments, you need to secure your site with SSL. By using this feature you can configure your SSL to ensure smooth and secure communications between browsers and the server.

Strong Password Enforcement

With Strong Passwords feature, you can force your users to have strong passwords when registering.

strong-pass-reinforcement

Figure 15. Ensuring strong passwords for your users

System Tweaks

In this feature, there are some advanced settings that may be utilized to further strengthen the security of your WordPress site. Here we will just select 3 security metrics:

  • Protect System Files
  • Disable Directory Browsing
  • Disable PHP in Uploads

Other features can be left unchecked because they can make plugin conflicts.

system-tweaks-ithemes

Figure 16. System tweaks

 

WordPress Tweaks

In this feature, there are also more advanced WordPress settings to further strengthen the security of your site. From here we can enable a few options:

  • Reduce Comment Spam (although later in our Academy we will cover the spam problem in depth)
  • Force users to choose a unique nickname
  • Disables a user’s author page if their post count is 0.
wordpress-tweaks

Figure 17. WordPress tweaks

 

WordPress Salts

Changing WordPress Salts is more after-hack measurement, but if you want to remove the stored users’ cookies, you can choose to Change WordPress Salts. Everyone will be logged out and will need to log-in again.

wordpress-salts

Figure 18. Changing the WordPress Salts

 

Admin User

This feature removes users with a username of “admin” or a user ID of “1”. Use this feature with caution! If you have “admin” username, make a database backup first, create a new different username (assign the existing posts to that username) and then run this tool.

admin-user

Figure 19. Changing the “admin” username

 

Change WordPress Database Table Prefix

If your database has the default wp_ prefix, this feature will change the default prefix of your database to something random like ex8l1_

change-database-prefix

Figure 20. Easily change the database prefix

 

That’s pretty much everything that needs to be configured in iThemes Security plugin to enhance the security of your website.

Troubleshoot: If you can’t find the latest features that we mentioned in this lesson, make sure to select All at the top.

all-features

Figure 21. All iThemes All features

 

Pros And Cons Of iThemes

Pros Cons
  • Free plugin with nice features
  • Incredibly easy to setup and use
  • Has Malware scanner
  • Protection against brute force, back door
  • Regularly updated
  • Changing database prefixes
  • Changing directories
  • WordPress Multisite support
  • A simple misconfiguration can break your site
  • Scans can take up a lot of resources
    (not recommended on shared hosting)
  • No effective after hacking measurements
  • Recent hacking on the iThemes servers

 

Final Words

We can say that this plugin is one of the most user-friendly plugins for ensuring the excellent security for your site. iThemes Security is ideal for beginners and non-technical users, and that’s why it is getting a high score from us. Also, it is free to use, and the features that the plugin provides are a lot satisfactory.

We mention in the Cons that iThemes servers get recently hacked (September 2014), but we know that the iThemes guys by now have learned their lesson, and now everything is back to normal. Another indicator that even with security plugin on your site you need to keep your eyes wide open – all the time.

So in our opinion, this plugin with the combination of your super “security intelligence” that you’ve gained so far is a complete winner.


progress-bar-lead-magnet

You're So Close! Fill Out Your Username And Email For Your Free Guide!

Your Free Guide Is On Its Way...