Tag: security

  • Secure your WordPress site with iThemes Security

    With the increasing online threats prioritizing your website security is something that can’t be ignored.

    In this article, we will show you how to properly configure iThemes Security in order to secure your WordPress website.

    Install iThemes Security and press the Skip Setup process. That will allow us to manually configure the plugin.

    Login Security

    Two-Factor authentication is a must-have for every site. It is one of the best ways to prevent anyone from logging into your site. Once the option has been activated you will be able to set it up during the login process.

    The Google Authenticator application can be used to authenticate during login.

    Lockouts

    Activate the Ban Users, Local Brute Force, and Network Brute Force options. Now let’s dive into these options and how each one can help us.

    Ban Users

    As the name states, this option is used to block any users and user agents from accessing your site.

    Select the Default Ban List option for a free ban list provided by HackRepair.com

    The Limit Banned IPs in Server Configuration Files blocks malicious IPs via the .htaccess file of your WordPress website.

    In the Ban User Agents field add any bad bots that are crawling the site.

    Here is a free list of bots that you could add provided by our Security & Optimization team:

    MJ12bot
    Dotbot
    Petalbot
    Go-http-client
    Sogou web spider
    BLEXBot
    Python Requests
    IonCrawl
    TprAdsTxtCrawler
    Barkrowler
    BUbiNG
    SolomonoBot
    Baiduspider
    Yeti
    Ezooms
    MauiBot
    exabot
    Rogerbot
    Exabot
    Gigabot
    BlackWidow
    Bot\ [[email protected]](mailto:[email protected])
    ChinaClaw
    Custo
    DISCo
    Download\ Demon
    eCatch
    EirGrabber
    EmailSiphon
    EmailWolf
    Express\ WebPictures
    ExtractorPro
    EyeNetIE
    FlashGet
    GetRight
    GetWeb!
    Go!Zilla
    Go-Ahead-Got-It
    GrabNet
    Grafula
    HMView
    HTTrack
    Image\ Stripper
    Image\ Sucker
    Indy\ Library
    InterGET
    Internet\ Ninja
    JetCar
    JOC\ Web\ Spider
    larbin
    LeechFTP
    Mass\ Downloader
    MIDown\ tool
    Mister\ PiX
    Navroad
    NearSite
    NetAnts
    NetSpider
    Net\ Vampire
    NetZIP
    Octopus
    Offline\ Explorer
    Offline\ Navigator
    PageGrabber
    Papa\ Foto
    pavuk
    pcBrowser
    RealDownload
    ReGet
    SiteSnagger
    SmartDownload
    SuperBot
    SuperHTTP
    Surfbot
    tAkeOut
    Teleport\ Pro
    VoidEYE
    Web\ Image\ Collector
    Web\ Sucker
    WebAuto
    WebCopier
    WebFetch
    WebGo\ IS
    WebLeacher
    WebReaper
    WebSauger
    Website\ eXtractor
    Website\ Quester
    WebStripper
    WebWhacker
    WebZIP
    Wget
    Widow
    WWWOFFLE
    Xaldon\ WebSpider
    Zeus

    Local Brute Force

    With Local Brute Force, you can limit the login attempts of users before being banned.

    Limit the Max Login Attempts Per User/Host to 4-5. That will lock out any users and bots attempting to access your account by guessing the password.

    Network Brute Force

    This feature is optional. Once an email address has been added, a weekly WordPress Vulnerability Report will be sent to the email.

    Site Check

    Site check will monitor and notify you regarding any file changes that have occurred. Note that you will receive an email when a plugin or theme has been updated too.

    Utilities

    The option that we’ll take advantage of here is the Enforce SSL. Much like the Really Simple SSL plugin, iThemes will force the site to go through HTTPS.

    User Groups

    This feature should be configured according to your site. Each site has different user groups which you could configure individually. Secure the user groups with more access to the site in order to prevent possible infections.

    Notification Center

    Similar to the User Groups, the notifications should be configured according to the type of site that you have. We’d recommend selecting only administrator users, as they are the ones maintaining the site.

    Advanced

    Possibly one of the most beneficial features for the security of the website can be located in the Advanced menu. Let’s have a look!

    System Tweaks

    Most infections affect the WordPress core files or third-party scripts are being executed in order to do so. That is why we recommend activating all options in order to prevent file changes and malicious file execution.

    WordPress Tweaks

    XML-RPC is used when a 3rd party service communicates with your site, such an example is Jetpack. Unfortunately, hackers take advantage of potential vulnerabilities and attack the site. If XML-RPC is not being used it should be deactivated.

    Enabling the Force Unique Nickname and Disable Extra User Archives will additionally strengthen the security of the site’s users.

    Hide Backend

    The Hide backend feature changes the URL of the admin dashboard. Since about 40% of the internet is WordPress websites, guessing the admin address is, to say the least easy. Changing that address would at least slow down any intruders.

    It is best to avoid any easy-to-guess words such as admin, backend, dashboard, etc.