Topic Progress:

ithemes logo webmaxformance


We are highly confident that your website is a great asset to your business, and that’s why it’s IMPERATIVE to keep it safe! But the thing is, securing one WordPress site may require a lot of time and technical knowledge. However, that’s not the case if you are using iThemes Security plugin for your ultimate WordPress security.

When we first installed iThemes Security, we were AMAZED of how easy can be securing one WordPress website. We are talking about just clicking a few buttons and no technical knowledge whatsoever.

iThemes Security is formerly known as Better WP Security. Today it is one of the TOP WordPress security plugins with many positive reviews and ratings.

The plugin surely didn’t fail to leave a good first impression. But how well can you be protected using iThemes Security plugin and what are its supported features? Read further and you will find the answer.


iThemes Security Installation And Basic Configuration

When you install iThemes security for the first time (just like any other plugin from your WP Admin -> Plugins -> Add New -> Search for iThemes Security), you will get a blue notification telling you to Get Free API Key. Click on that button.


Figure 1. iThemes Security notification on first time run


When the new window appears, make sure to put your email address and click on Save Settings.


Figure 2. Network Brute Force Protection


It will lead you to the iThemes Settings where you can make some further security enhancements.


Figure 3. Security features iThemes Security


Security Check

First, click on Security Check -> Configure Settings. From here you need to click on Secure Site, to perform a basic security check and secure your site.


Figure 4. Perform security check



Figure 5. Completed security check


Global Settings

Close this window and move to Global Settings -> Configure Settings. The default settings here can be good enough, but feel free to adjust something that seems not right for you. For example, we don’t want the Security menu in the admin bar so we will turn it off from here by clicking on Hide Security Menu in Admin Bar.


Figure 6. Global Settings


404 Detection

Next, you need to enable 404 detection. The 404 detection mechanism looks at a user who is hitting a large number of non-existent pages and getting a large number of 404 errors (in case the hacker is using SQL injections to deface your site).


Figure 7. 404 Detection feature


You can further configure this 404 feature by clicking on the Configure Settings button and make the changes.


Figure 8. 404 configurations


Utilize “Away Mode” (optional)

This feature makes the admin login inaccessible for an amount of time you set (for example if we won’t be working on New Year, we will protect the login access during these 2-3 days).
The “away mode” is an optional feature and you can use it ONLY if you specifically need to.


Figure 9. “Away mode” configurations


Banned Users 

With this feature, you can block specific IP addresses from accessing your website. You can just put the IP in the Ban Hosts textarea and forbid a user to visit your website.


Figure 10. Banned users


Local Brute Protection

This feature allows you to enable login limits for those who would try to “guess” your admin password. After specific number of attempts, the user will be permanently banned from accessing your site.


Figure 11. Local brute force protection


Note: For the last option – Automatically ban “admin” user, you can check it only after you’ve changed your username “admin” to something else (which need to be changed NOW, if you haven’t done it by this point!).

Database Backups

The Database Backups feature allows you to have scheduled backups of your database in case something unexpected happened. This is a really nice feature for protecting your website where you can set the location of your database backups, the backup interval etc. However, we have a complete backup section in our Academy for this issue, so don’t bother with this feature at this moment.


Figure 12. Configuring the backups


File Change Detection

By enabling this feature, you will be alerted what files have been changed in your WP installation without your knowledge.


Figure 13. File change detection


File Permissions

You need to check the permissions of the important WordPress files. With this feature, you can see the details of important files, and you can change if some file permission is vulnerable.


Figure 14. Check File Permissions


Network Brute Force Protection

Network brute force protection takes the local brute protection a step further by banning users who have tried to break into other sites from breaking into yours. By generating the free API key at the beginning, you have automatically enabled this feature.


If your site accepts on-site payments, you need to secure your site with SSL. By using this feature you can configure your SSL to ensure smooth and secure communications between browsers and the server.

Strong Password Enforcement

With Strong Passwords feature, you can force your users to have strong passwords when registering.


Figure 15. Ensuring strong passwords for your users

System Tweaks

In this feature, there are some advanced settings that may be utilized to further strengthen the security of your WordPress site. Here we will just select 3 security metrics:

  • Protect System Files
  • Disable Directory Browsing
  • Disable PHP in Uploads

Other features can be left unchecked because they can make plugin conflicts.


Figure 16. System tweaks


WordPress Tweaks

In this feature, there are also more advanced WordPress settings to further strengthen the security of your site. From here we can enable a few options:

  • Reduce Comment Spam (although later in our Academy we will cover the spam problem in depth)
  • Force users to choose a unique nickname
  • Disables a user’s author page if their post count is 0.

Figure 17. WordPress tweaks


WordPress Salts

Changing WordPress Salts is more after-hack measurement, but if you want to remove the stored users’ cookies, you can choose to Change WordPress Salts. Everyone will be logged out and will need to log-in again.


Figure 18. Changing the WordPress Salts


Admin User

This feature removes users with a username of “admin” or a user ID of “1”. Use this feature with caution! If you have “admin” username, make a database backup first, create a new different username (assign the existing posts to that username) and then run this tool.


Figure 19. Changing the “admin” username


Change WordPress Database Table Prefix

If your database has the default wp_ prefix, this feature will change the default prefix of your database to something random like ex8l1_


Figure 20. Easily change the database prefix


That’s pretty much everything that needs to be configured in iThemes Security plugin to enhance the security of your website.

Troubleshoot: If you can’t find the latest features that we mentioned in this lesson, make sure to select All at the top.


Figure 21. All iThemes All features


Pros And Cons Of iThemes

Pros Cons
  • Free plugin with nice features
  • Incredibly easy to setup and use
  • Has Malware scanner
  • Protection against brute force, back door
  • Regularly updated
  • Changing database prefixes
  • Changing directories
  • WordPress Multisite support
  • A simple misconfiguration can break your site
  • Scans can take up a lot of resources
    (not recommended on shared hosting)
  • No effective after hacking measurements
  • Recent hacking on the iThemes servers


Final Words

We can say that this plugin is one of the most user-friendly plugins for ensuring the excellent security for your site. iThemes Security is ideal for beginners and non-technical users, and that’s why it is getting a high score from us. Also, it is free to use, and the features that the plugin provides are a lot satisfactory.

We mention in the Cons that iThemes servers get recently hacked (September 2014), but we know that the iThemes guys by now have learned their lesson, and now everything is back to normal. Another indicator that even with security plugin on your site you need to keep your eyes wide open – all the time.

So in our opinion, this plugin with the combination of your super “security intelligence” that you’ve gained so far is a complete winner.


You're So Close! Fill Out Your Username And Email For Your Free Guide!

Your Free Guide Is On Its Way...