How to set up the best free WordPress security plugin

Let's talk about iThemes Security

iThemesInstallsIf you’re running a WordPress website and haven’t been hacked yet, you’re one of the lucky ones. If you have been hacked in the past, you’ll never want to live through that nightmare again. In this article, we’ll give you the lowdown on the excellent – and free – iThemes Security plugin. It has 600,000+ active installs, nearly 3,000 five-star reviews and may very well be the best WordPress plugin for security in the world!

iThemes Security – originally called Better WP Security – protects your WordPress install by approaching website security from multiple angles.

It protects from threats, detects attacks and malware, obscures to reduce hacking attempts, and enables recovery through backups.


Sit back, follow along if you’d like, and by the time we’re done you’ll know how to secure your WordPress website from top to bottom!

Getting the WordPress plugin for security installed and running

To install the free version of iThemes Security from your WordPress backend, select Add New under the Plugins menu. Search for ithemes security, click Install Now, and then click the Activate Plugin link.

Next, choose Secure Your Site Now to open the Important First Steps dialog box. You’ll be presented with four items:

WordPress Plugin For Security

  1. Back up your site: We’ll discuss proper backups later, but for now, click Make a backup.
  2. Allow File Updates: Click Allow File Updates to let this WordPress plugin for security modify certain files on its own. Highly recommended.
  3. Secure Your Site: Clicking this button enables safe, default security settings that won’t break your site. Highly recommended.
  4. Help Us Improve: If you want iThemes Security to collect anonymous plugin usage data, click this option.

Once completed, click Dismiss to go to the plugin dashboard.

Start at the plugin dashboard

First things first: click Temporarily Whitelist my IP – found on the plugin’s dashboard – to prevent accidentally getting locked out of your own site.


Next, scroll down to the Security Status section. Next to each item you’ll see a Fix it button which, when clicked, takes you to the relevant setting. We’ll explain these in the next section; for now, just keep in mind:

  • High-priority items: address these immediately.
  • Medium-priority items: address these as soon as possible.
  • Low-priority items: suggestions more than requirements.
  • Completed items: hooray!


Security settings: What do they mean?

Here’s a quick rundown of each iThemes Security setting:


1. Global Settings

The defaults for this WordPress plugin for security are usually fine, but you can change things like your email and default messages here.

2. 404 Detection

Hackers run automated bots looking for vulnerable files on your site, most of which don’t exist. Enable this option to ban or lock out users who request a large number of non-existent files too quickly.

3. Away Mode

This option lets you disable access to the WordPress backend for a set period of time each day – or while you sleep – thereby reducing the chance of attack.

4. Banned Users

Here, you can completely ban users from your site by IP or user agent (web browser).

5. Brute Force Protection

Prevent unlimited login attempts; a great security feature and highly recommended.

6. Database Backups

You can schedule database backups here, but we recommend a more robust solution later in the article.

7. File Change Detection

To avoid detection, hackers often change existing files on your site. This setting tracks any file modifications.

8. Hide Login Area

This option enables a custom login URL which helps thwart many automated bots and scripts.

9. Malware Scanning

Scan your homepage for malware, errors, and out-of-date software with technology powered by Sucuri SiteCheck .

10. Secure Socket Layers (SSL)

In plain English, SSL enables encryption between browsers and websites. Selecting this option can prevent you from accessing your site — so be careful.

11. Strong Passwords

Good passwords are strong passwords; this option enforces them.

12. System Tweaks

These settings can conflict with other plugins and themes. Unless you have a good reason to make changes, I’d pass over this section entirely.

13. WordPress Tweaks

The same as above, but WordPress-focused. Some settings can only be reversed by editing text files; proceed with caution.

And, for the advanced settings:


1. Admin User

Hackers attempt to guess (brute force) the admin user’s password so renaming the account is recommended.

2. WordPress Salts

Unless you’ve been recently hacked, the usefulness of this option is marginal in my opinion.

3. Change Content Directory

This option changes where WordPress stores important site files. With a high probability of breaking your site, I’d skip this setting.

4. Change Database Prefix

Automated scripts that scan the web for vulnerable WordPress sites are often programmed with certain defaults in place. Change your database prefix with this option to make it more difficult for hackers’ scripts to automatically infiltrate your site.

Backups to the rescue

Because our discussion mainly looks at a WordPress plugin for security, we won’t get too deep into the topic of backups – here’s an excellent article that does – other than to say: having a backup is important. If something goes wrong with your site and you have a recent backup, things can get running again quickly.


iThemes Security makes it easy to back up your WordPress database (i.e. your written content and settings). It won’t, however, back up your images, themes and other site files. iThemes also sells a BackupBuddy plugin that does a full backup. For a fantastic, free backup solution you can install the UpdraftPlus plugin.

Go pro for support and more features

iThemes-pro-logoThe free version of iThemes Security provides tremendous value. iThemes also sells a Pro version of their WordPress plugin for security that includes support and additional features like:

…and more.

Protect your site with a security plugin

WordPress websites are magnets for hackers. A quality security plugin protects and locks down your website so you can sleep well at night.

iThemes Security is reputable, quick to set up and has well-explained settings. Advanced security features are available in both the free and Pro version.

Have you used a security plugin on your WordPress website? We’d love to hear about it below.

Learn about the four types of SSL certificates available.

Wildcard SSL Certificate
Extended Validation SSL Certificate
SAN SSL Certificate
Organization Validation SSL Certificate

Also published on Medium.

Image by: grittycitygirl via Compfight cc

Tom Ewer
Tom Ewer is a freelance writer, online entrepreneur, and the founder of Leaving Work Behind and WordCandy. He has been obsessed with WordPress since he first laid eyes on it, and has been writing educational and informative content for WordPress users since 2011. When he's not running his businesses, you're likely to find him outdoors somewhere – as far away from a screen as possible!