How To Configure iTheme Security WordPress Plugin

Part 1 Standard Features

WordPress is one of the most popular website platforms, and comes with a lot of security features built in.  However, it is becoming necessary to extend those capabilities.  Hackers may try to gain access to a website through multiple methods.  Typical hacking methods:

  1. Using virus infected mobile devices to attack a particular website.  Using this method a hacker can try thousands of combinations of userid and password to try to guess a right combination.  Once the site is hacked, personal and financial information will be stolen.  hackers will focus on credit card information or other personal information they can use.
  2. Checking for vulnerabilities through the upload directory where they would upload a php script and try to execute it.
  3. Trying to overwhelm the system by executing scripting in long urls sent to the site.
  4. Phishing attacks where an email that seems to come from a bank or government agency and tries to either download a key logger on your computer, or ask you to enter your userid and password.


There are several good plugins that can be used for security.  Highly recommended are Wordfence and iTheme security plugin.  The following steps show you how to secure your website using iTheme security plugin:

Enable iTheme Network Side Protection

From your WordPress dashboard you should see the below notification.  Click the “Get Free API Key” and enter your email address.

itheme network side protection

Global Settings

Allow iTheme to write to .htaccess filesiTheme htaccess file

iTheme will send you security notifications.  Make sure the right email is entered here

iTheme notification email

Ban repeat offenders: Users who get locked out more than a particular threshold:

iTheme Ban Repeat Offenders

You can configure the threshold here.  The default settings are shown below and they are sufficient.

iTheme Ban Thresholds

When someone tries to attack your website gets locked out it would be nice to be notified:

iTheme lockout notification email

Enable 404 Detection

An http 404 error is generated when a user tries to access a file that is non-existent.  Of course this can happen due to an old link or a broken file.  However, some hackers can intentionally scan your website for vulnerabilities.  This feature will lock such users out.

Away Mode (Optional)

One method of increasing security of your WordPress website is to disable access to the backend during certain times during the day.  For example, would you need access during the day and night?  While some websites do require around the clock access, others do not.  Use this setting on a case by case basis.  For all PalGeek Inc. websites we disable this feature because of the 24/7 support that we perform.

Ban Known “bad guys” from your WordPress Website

Banned Users Blacklist

Enable Local Brute Force Protection

Any user or host that tries to access the website will be banned after a specified number of failed attempts.   This is necessary to ensure that no machine or user can keep trying userid and password combinations indefinitely until they gain access to the site.

Database Backups (Optional)

enable database backups

This option allows you to create database backups whenever a configured period of time passes (default is 3 days). While this is a good option, at PalGeek Inc.’s websites we disable this option and we use other methods to protect and backup our database.

database backup itheme

Enable File Change Detection (Optional)

File Change Detection iTheme Security

This is a great option to have for a static type website where little change is expected.  However, this may not be a good option for a website that is continuously changing (like being under development, or a private social network type website).

Enable Network Brute Force Protection

This feature allows iTheme security to share with your website and ban known IP addresses to be causing problems else where in the internet.  This is a very powerful feature that can protect your website from hackers and spam agents before they attempt to access your website.

Network Brute Force Protection iTheme Security

Enable Strong Password Enforcement

This feature allows you to force all users (you can select the minimum level) to use strong passwords.

Strong Password iTheme Security

System Tweaks

This is part of the more advanced options that iTheme Security provides.  Please enable all the options to enhance the security of your website.

Protect sensitive systems and do not allow the public to be able to read them.

Protect system files

Protecting Directory browsing will prevent users from seeing your file system in case there is no index file present.

disable directory browsing iTheme Security

Protect against suspicious requests in the URL which is a common method hackers may try to undermine your website by trying to execute malicious scripts.

Protect From Suspicious Requests iTheme Security

Finally, protect system files from being written.  BE CAREFUL: this should not be done if the website is still under development.

Disable users from being able to execute PHP scripts in the upload directory, which is another method a hacker may try to execute malicious code on your website/server if they are able to gain access to your upload directory (through FTP for example).

System Tweaks File Protection iTheme Security

WordPress Tweaks

Here you can make changes to some of the existing WordPress features that can be used to gain unauthorized access to your website.

With the exception of the File Editor, which is a useful tool to have within your WordPress Website, please enable and select all the remaining options and recommended settings.

Malware Scan

From the main dashboard of the iTheme Security plugin you can find the Malware Scan button.  This scans your website for malware as well as check if your website has been banned anywhere or flagged for security issues.

iTheme Security Malware Scan

Pin It on Pinterest

Share This