WordPress security has become more of a hot topic in the last few years as many vulnerabilities have been discovered and, unfortunately, exploited. So, we are here today to present our favorite WordPress security plugin, iThemes Security, and show you how to set it up and configure all the recommended settings.
While most of these security vulnerabilities have been quickly patched by the WordPress team and plugin/theme developers, many users have neglected to update their WordPress website, or maybe just didn’t get to doing so before the hole was sniffed out by malicious parties and exploited. This has no doubt left thousands, probably millions of sites hacked, and the cleanup isn’t pretty.
While the best defence is keeping the WordPress core, plugins, and themes up to date, there are additional steps that you can easily take to lock down your WordPress website’s security and drastically reduce chances of being hacked.
There are a few plugins out there that perform similar sets of actions, but we prefer iThemes Security (website), formerly Better WP Security. It provides many features, most of which I have detailed over on our Best Must-Have WordPress Plugins blog post. We have not had a single problem with any security issues on websites running iThemes Security, and that is quite a few sites.
While that post provides a good general overview of what we think is the best WordPress security plugin, this post is meant to provide the details of setup and configuration. This may seem daunting, but I assure you it is quite simple. There are some advanced areas, but in general those are optional.
Installing and Configuring iThemes Security on a WordPress Website
First, you’ll need to choose which version you need.
The basic, free version will suite most needs. It has the following features:
- One-click “Secure Site” WordPress security check
- Ban bad users
- Block specific IP addresses and user agents from accessing the site
- 404 Detection
- Hide Login & Admin URL
- Change WordPress salts & keys
- Away Mode
- Database Backups
- File Change Detection
- Remove Windows Live Write header information
- Remove RSD header info
- Remove update notifications from specific user roles
- Remove login error messages
- Rename ‘admin’ account
- Change ID on user with ID 1
- Change WordPress database table prefix
- Change wp-content path
- Force SSL for any post, page, or admin page
- Turn off file editing in WordPress admin
- Reduce Comment Spam
- Local brute force protection
- Network brute force protection
- XML-RPC brute force protection
- Security logs
- Email Notifications & Digest Emails
- Customizable lockout messages
- Strong Password Enforcement
- File Permission Check
- iThemes Sync Integration
- Malware Scan
Next, install and activate it.
You have probably installed plugins on your WordPress website before, but if you haven’t, to install the free version you can either download it from the below link and upload it via the WordPress admin (or FTP), or you can go to the Plugins section of the admin, “Add New,” search for “iThemes Security” and install/activate it.
If you purchased the pro version, you will have to download it from the iThemes website and install it via the WordPress admin or FTP.
Configuring iThemes Security
Once you have installed and activated iThemes Security, you can begin the configuration.
In this post, I will go through our standard and most common configuration we use for client websites, then explain some of the optional and advanced settings. If you have a specific question, try using CTRL+F to search in your browser for words on the page to locate your answer. Otherwise, happy reading!