In this tutorial I will show you how to secure WordPress by using the iThemes Security plugin.
iThemes security for WordPress lets you secure your site pretty quickly but theres always some extra things on how to secure WordPress.
The most important thing to do before modifying anything on WordPress is to make a backup of your site, just in case you come across any issues.
Ok, now that we have a backup we can now proceed and setup the plugin.
(Im presuming that you have already installed iThemes Security)
- The first thing on how to secure WordPress with iThemes security is to goto the “Security > Settings” page and select “Configure” in the “Security Check” box.
- It will open the security check popup with a checklist.
- Now click on the “Secure Site”. This will setup the basics in the plugin.
Once this is done you can close the popup and then select the Global Settings “Configure Settings” button.
- In here, it’s recommended that you check the “Allow iThemes Security to write to wp-config.php and .htaccess.”
- Then make sure your notification email is correct and the backup delivery email is correct.
- Enable “Enable Blacklist Repeat Offender” option
- Now “Save Settings“
Next we need to enable “404 Detection“. Theres nothing in there to change.
Now we need to enable “Banned users” and enable “
Brute Force Protection
To protect yourself from Local Brute Force Attacks you will need to enable “Local Brute Force Protection”
- Now enable “Automatically Ban ‘admin’ user ” (Be careful and make sure your username is not admin!!! get it changed to a different username)
- Goto “Network Brute Force Protection” and “Get your iThemes Brute Force Protection API Key”, then save settings.
Strong passwords are a good way to slow any attack on your website. Weak passwords can be hacked in minutes.
To enforce strong passwords site wide
- Enable Strong passwords and set “Select Role for Strong Passwords” to “Subscriber“
Now we will do some “System Tweaks”
- Open System Tweaks popup and “Select All items” then save.
Now for the WordPress Tweaks
- Remove the Windows Live Writer header
- Remove the RSD (Really Simple Discovery) header
- Reduce Comment Spam
- Disable File Editor
- Disable XML-RPC
- Force users to choose a unique nickname
- Disables a user’s author page if their post count is 0
This is how you secure WordPress with iThemes free. The pro version allows you to add even more security, including 2-factor authentication, reCaptcha and Password Expiration.
If your looking to secure your website further the take a read of my post, Securing your WordPress Website.