Is your website secure?
That’s a very generic question. Nobody can guarantee that his website is entirely secure. However, one thing everyone can do is to take the necessary steps to make their sites more secure.
That is even more true for WordPress sites. Being the most popular website creation platform in the world, WordPress is a very attractive target for hackers. They are always looking for new ways to take control of WordPress sites.
To keep your site secure from the hackers and other potential abusers, you will need a strong security plugin. Among all the security plugins for WordPress, iThemes Security is the most popular choice.
In today’s tutorial, I will introduce you to this excellent, free plugin and show you how to use it step by step.
Review – Using iThemes Security Plugin
First of all, download and install iThemes Security plugin in your WordPress site.
This will create a new menu item titled ‘Security‘ in your WordPress dashboard. Clicking on the ‘Security‘ menu item will take you to a page like the following –
Before doing anything, you need to take care of some important first steps that are mentioned in the floating pop-up box. Let us go through them.
- The first one is for creating a database backup. Click the ‘Make a backup‘ button to create the backup. Depending on your website’s age and size, it may take some time.
- The second is to allow iThemes Security to make some changes in the .htaccess and wp-config.php files. This one is necessary for the plugin to work properly. Therefore, click the ‘Allow File Updates’ button.
- The third one will take care of some basic security issues. None of these issues will conflict with any theme or plugin. Click the ‘One-click Secure’ button.
- The last one is optional. Enabling this feature will send anonymous usage data to the plugin developer. If you want to help them improve the plugin, click ‘Yes, I’d like to help‘.
Once everything is taken care of, click the ‘X’ icon from the top-right corner of the pop-up box.
At this point, you will be in the ‘Dashboard’ area of the plugin.
The first two sections of the page provide help and instructions about using the plugin. The ‘Security Status‘ section is the most important area of this page. It shows you the current security status of your website. It will look like the following –
As you can see, the issues are divided into three categories –
- High Priority
- Medium Priority
- Low Priority
Among them, you should deal with the high priority issues. Then, try to solve as much medium priority issues as possible. Lastly, go through the low priority issues and address the ones that look important to you.
And how do you address the issues?
Well, iThemes Security has made it very easy for you. There is a blue ‘Fix it‘ button on the right side of every issue. Clicking the button will open the relevant settings section. You can take the necessary action from there.
In the sections below, you will find information about WordPress, file system, database, server, etc. There is nothing else to do here.
iThemes Security Plugin Settings
To access the iThemes Security settings options, go to Security -> Settings. You will be taken to a page like the following –
As you can see, the various settings options are divided into separate sections. We will discuss each section one by one. If you want to jump to a specific settings section, you can use the ‘Go to‘ option and select the section from the drop down list.
This section contains options for the general settings that are related to overall security. You can choose to allow the plugin to write to files, provide multiple email addresses for the notification and backup delivery emails.
Then, you will find options to define the lockout messages for various events like host, user and community lockout. There are also options to choose the duration of blacklist threshold, blacklist threshold period and the lockout period. In the log options, you can choose what type of logs to keep, log duration, path to log files etc.
When a user makes a lot of requests for non-existing pages within a short period, he might be trying to explore vulnerabilities in your site. You can prevent this situation by enabling the 404 detection feature.
There are separate options to choose the check period, error threshold and file/folder whitelist for detecting attacks. You can also choose to ignore requests for the common files.
If you update and log in to your website dashboard only at specific times, you can set up away mode. This will make the dashboard inaccessible for a specific period. This will be helpful if you are going in a vacation or remain busy for specific hours every day.
Check the ‘Enable Away Mode‘ box and then define the type, start and end date and time for the away mode.
This section lets you ban specific hosts and users from accessing your site. You can use the blacklist maintained by HackRepair.com. You can also choose to ban particular visitors by checking the ‘Enable ban users‘ and providing the individual IP address, IP address range, and user agent in the following fields.
Brute Force Protection
By default, WordPress doesn’t limit the number of login attempts. Therefore, you can fall prey to brute force attacks if you don’t take any preventive step.
To do this, check the ‘Enable local brute force protection‘ box. In the following fields, you can choose the number of login attempts for a user and host for a specific period. You can also choose to ban any user who tries to login by using the ‘admin’ username.
This section enables you to customize the database backup options. You can choose to save the backup to your server, email or both locations. Then, there are options to choose the backup location, a number of backups to keep and to compress the backup files. It is also possible to exclude specific database tables from the backup.
File Change Detection
To do any harm to your website, hackers need to change the files of your website. You can enable the file change detection feature to be notified about any such event. You can choose to include or exclude specific files.
Hide Login Area
This handy feature lets you hide the common login areas of a WordPress site like the wp-login, wp-admin, admin, login, etc. It is possible to choose a custom slug for the login page. If the feature conflicts with your existing theme, you can use the theme compatibility mode.
Secure Socket Layers (SSL)
SSL is a special technology that encrypts the data communication between your site and the server. If your hosting provider supports it, and you have the SSL certificate, you can enable the feature on your WordPress site.
However, SSL is known to have a slight impact on the page loading speed and overall website performance. Before going for SSL, make sure that you have compared the pros and cons of using it.
If you are annoyed with the weak password used by your users, this feature could be helpful. Just enable the feature and select the role for which you want to apply this.
This section contains some advanced options that could be used to make your site more secure. Some notable options include disabling directory browsing, filtering suspicious query strings, filtering non-English characters, Disabling PHP execution in the uploads, etc. Don’t enable any of these features unless you know what you are doing.
Like the previous section, these are also advanced level options aimed at WordPress itself. Some interesting options include reducing comment spam, disabling file editor, disabling error login messages, forcing users to choose unique nicknames, etc.
To access the advanced settings options, go to Security -> Advanced. The available options are divided into several sections.
Before making any change in these options, make sure that you have made a complete backup of your database. This will ensure that you can get back to the last working condition if anything goes wrong.
The ‘Admin User‘ section lets you improve the security condition of your WordPress site by taking care of the common user information. Check the ‘Enable Change Admin User‘ box to allow the plugin to change the admin accounts.
SEE MORE: 5 WordPress Plugins to Extend User Roles
If you want to make your website more secure, you can do that by enabling WordPress salts.
To do that, check the ‘Change WordPress Salts‘ box in the ‘WordPress Salts‘ section. Enabling this will enforce stronger passwords featuring random elements.
It is a widely known fact that all the themes, plugins and uploads of your WordPress site is stored in a folder titled ‘wp-content’.
Modern bots are intelligent enough to find out this folder automatically.
Therefore, it is more secure to change the default content directory. You can do that in the ‘Change Content Directory‘ section. Check the ‘Enable Change Directory Name‘ box and provide the directory name in the next field.
Another widely known fact about WordPress is the ‘wp_’ prefix of the database. All the posts, pages, users and other content of your WordPress sites are stored in the database.
Changing the default database prefix will make it harder for hackers and abusers to get access to your website. Check the ‘Change Table Prefix‘ box to change the default database prefix.
There is only one option in this tab – creating a database backup. There is a dedicated button for that purpose. Clicking that button will start the backup process automatically. Depending on your web site size, this may take some time.
Making your website secure is a regular process. You cannot just start and finish this within a specific timeframe. Rather, you will always have to look out for potential problems, hacking attacks, etc. And iThemes Security is your perfect companion in doing this.
Do you use iThemes Security or any other security plugin on your WordPress site? If yes, please share your experience by leaving a comment below.
And if you don’t use a security plugin, now is the perfect time to do it, especially after reading this in-depth about securing your WordPress site.