With the increasing online threats prioritizing your website security is something that can’t be ignored.
In this article, we will show you how to properly configure iThemes Security in order to secure your WordPress website.
Install iThemes Security and press the Skip Setup process. That will allow us to manually configure the plugin.
Login Security
Two-Factor authentication is a must-have for every site. It is one of the best ways to prevent anyone from logging into your site. Once the option has been activated you will be able to set it up during the login process.
The Google Authenticator application can be used to authenticate during login.
Lockouts
Activate the Ban Users, Local Brute Force, and Network Brute Force options. Now let’s dive into these options and how each one can help us.
Ban Users
As the name states, this option is used to block any users and user agents from accessing your site.
Select the Default Ban List option for a free ban list provided by HackRepair.com
The Limit Banned IPs in Server Configuration Files blocks malicious IPs via the .htaccess file of your WordPress website.
In the Ban User Agents field add any bad bots that are crawling the site.
Here is a free list of bots that you could add provided by our Security & Optimization team:
MJ12bot
Dotbot
Petalbot
Go-http-client
Sogou web spider
BLEXBot
Python Requests
IonCrawl
TprAdsTxtCrawler
Barkrowler
BUbiNG
SolomonoBot
Baiduspider
Yeti
Ezooms
MauiBot
exabot
Rogerbot
Exabot
Gigabot
BlackWidow
Bot\ [[email protected]](mailto:[email protected])
ChinaClaw
Custo
DISCo
Download\ Demon
eCatch
EirGrabber
EmailSiphon
EmailWolf
Express\ WebPictures
ExtractorPro
EyeNetIE
FlashGet
GetRight
GetWeb!
Go!Zilla
Go-Ahead-Got-It
GrabNet
Grafula
HMView
HTTrack
Image\ Stripper
Image\ Sucker
Indy\ Library
InterGET
Internet\ Ninja
JetCar
JOC\ Web\ Spider
larbin
LeechFTP
Mass\ Downloader
MIDown\ tool
Mister\ PiX
Navroad
NearSite
NetAnts
NetSpider
Net\ Vampire
NetZIP
Octopus
Offline\ Explorer
Offline\ Navigator
PageGrabber
Papa\ Foto
pavuk
pcBrowser
RealDownload
ReGet
SiteSnagger
SmartDownload
SuperBot
SuperHTTP
Surfbot
tAkeOut
Teleport\ Pro
VoidEYE
Web\ Image\ Collector
Web\ Sucker
WebAuto
WebCopier
WebFetch
WebGo\ IS
WebLeacher
WebReaper
WebSauger
Website\ eXtractor
Website\ Quester
WebStripper
WebWhacker
WebZIP
Wget
Widow
WWWOFFLE
Xaldon\ WebSpider
Zeus
Local Brute Force
With Local Brute Force, you can limit the login attempts of users before being banned.
Limit the Max Login Attempts Per User/Host to 4-5. That will lock out any users and bots attempting to access your account by guessing the password.
Network Brute Force
This feature is optional. Once an email address has been added, a weekly WordPress Vulnerability Report will be sent to the email.
Site Check
Site check will monitor and notify you regarding any file changes that have occurred. Note that you will receive an email when a plugin or theme has been updated too.
Utilities
The option that we’ll take advantage of here is the Enforce SSL. Much like the Really Simple SSL plugin, iThemes will force the site to go through HTTPS.
User Groups
This feature should be configured according to your site. Each site has different user groups which you could configure individually. Secure the user groups with more access to the site in order to prevent possible infections.
Notification Center
Similar to the User Groups, the notifications should be configured according to the type of site that you have. We’d recommend selecting only administrator users, as they are the ones maintaining the site.
Advanced
Possibly one of the most beneficial features for the security of the website can be located in the Advanced menu. Let’s have a look!
System Tweaks
Most infections affect the WordPress core files or third-party scripts are being executed in order to do so. That is why we recommend activating all options in order to prevent file changes and malicious file execution.
WordPress Tweaks
XML-RPC is used when a 3rd party service communicates with your site, such an example is Jetpack. Unfortunately, hackers take advantage of potential vulnerabilities and attack the site. If XML-RPC is not being used it should be deactivated.
Enabling the Force Unique Nickname and Disable Extra User Archives will additionally strengthen the security of the site’s users.
Hide Backend
The Hide backend feature changes the URL of the admin dashboard. Since about 40% of the internet is WordPress websites, guessing the admin address is, to say the least easy. Changing that address would at least slow down any intruders.
It is best to avoid any easy-to-guess words such as admin, backend, dashboard, etc.