If you’re running a WordPress website and haven’t been hacked yet, you’re one of the lucky ones. If you have been hacked in the past, you’ll never want to live through that nightmare again. In this article, we’ll give you the lowdown on the excellent – and free – iThemes Security plugin. It has 600,000+ active installs, nearly 3,000 five-star reviews and may very well be the best WordPress plugin for security in the world!
iThemes Security – originally called Better WP Security – protects your WordPress install by approaching website security from multiple angles.
Sit back, follow along if you’d like, and by the time we’re done you’ll know how to secure your WordPress website from top to bottom!
Getting the WordPress plugin for security installed and running
To install the free version of iThemes Security from your WordPress backend, select Add New under the Plugins menu. Search for ithemes security, click Install Now, and then click the Activate Plugin link.
Next, choose Secure Your Site Now to open the Important First Steps dialog box. You’ll be presented with four items:
- Back up your site: We’ll discuss proper backups later, but for now, click Make a backup.
- Allow File Updates: Click Allow File Updates to let this WordPress plugin for security modify certain files on its own. Highly recommended.
- Secure Your Site: Clicking this button enables safe, default security settings that won’t break your site. Highly recommended.
- Help Us Improve: If you want iThemes Security to collect anonymous plugin usage data, click this option.
Once completed, click Dismiss to go to the plugin dashboard.
Start at the plugin dashboard
First things first: click Temporarily Whitelist my IP – found on the plugin’s dashboard – to prevent accidentally getting locked out of your own site.
Next, scroll down to the Security Status section. Next to each item you’ll see a Fix it button which, when clicked, takes you to the relevant setting. We’ll explain these in the next section; for now, just keep in mind:
- High-priority items: address these immediately.
- Medium-priority items: address these as soon as possible.
- Low-priority items: suggestions more than requirements.
- Completed items: hooray!
Security settings: What do they mean?
Here’s a quick rundown of each iThemes Security setting:
1. Global Settings
The defaults for this WordPress plugin for security are usually fine, but you can change things like your email and default messages here.
2. 404 Detection
Hackers run automated bots looking for vulnerable files on your site, most of which don’t exist. Enable this option to ban or lock out users who request a large number of non-existent files too quickly.
3. Away Mode
This option lets you disable access to the WordPress backend for a set period of time each day – or while you sleep – thereby reducing the chance of attack.
4. Banned Users
Here, you can completely ban users from your site by IP or user agent (web browser).
5. Brute Force Protection
Prevent unlimited login attempts; a great security feature and highly recommended.
6. Database Backups
You can schedule database backups here, but we recommend a more robust solution later in the article.
7. File Change Detection
To avoid detection, hackers often change existing files on your site. This setting tracks any file modifications.
8. Hide Login Area
This option enables a custom login URL which helps thwart many automated bots and scripts.
9. Malware Scanning
Scan your homepage for malware, errors, and out-of-date software with technology powered by Sucuri SiteCheck .
10. Secure Socket Layers (SSL)
In plain English, SSL enables encryption between browsers and websites. Selecting this option can prevent you from accessing your site — so be careful.
11. Strong Passwords
Good passwords are strong passwords; this option enforces them.
12. System Tweaks
These settings can conflict with other plugins and themes. Unless you have a good reason to make changes, I’d pass over this section entirely.
13. WordPress Tweaks
The same as above, but WordPress-focused. Some settings can only be reversed by editing text files; proceed with caution.
And, for the advanced settings:
1. Admin User
Hackers attempt to guess (brute force) the admin user’s password so renaming the account is recommended.
2. WordPress Salts
Unless you’ve been recently hacked, the usefulness of this option is marginal in my opinion.
3. Change Content Directory
This option changes where WordPress stores important site files. With a high probability of breaking your site, I’d skip this setting.
4. Change Database Prefix
Automated scripts that scan the web for vulnerable WordPress sites are often programmed with certain defaults in place. Change your database prefix with this option to make it more difficult for hackers’ scripts to automatically infiltrate your site.
Backups to the rescue
Because our discussion mainly looks at a WordPress plugin for security, we won’t get too deep into the topic of backups – here’s an excellent article that does – other than to say: having a backup is important. If something goes wrong with your site and you have a recent backup, things can get running again quickly.
iThemes Security makes it easy to back up your WordPress database (i.e. your written content and settings). It won’t, however, back up your images, themes and other site files. iThemes also sells a BackupBuddy plugin that does a full backup. For a fantastic, free backup solution you can install the UpdraftPlus plugin.
Go pro for support and more features
The free version of iThemes Security provides tremendous value. iThemes also sells a Pro version of their WordPress plugin for security that includes support and additional features like:
Protect your site with a security plugin
WordPress websites are magnets for hackers. A quality security plugin protects and locks down your website so you can sleep well at night.
iThemes Security is reputable, quick to set up and has well-explained settings. Advanced security features are available in both the free and Pro version.
Have you used a security plugin on your WordPress website? We’d love to hear about it below.
Learn about the four types of SSL certificates available.
Also published on Medium.