How To Configure iTheme Security WordPress Plugin
Part 1 Standard Features
WordPress is one of the most popular website platforms, and comes with a lot of security features built in. However, it is becoming necessary to extend those capabilities. Hackers may try to gain access to a website through multiple methods. Typical hacking methods:
- Using virus infected mobile devices to attack a particular website. Using this method a hacker can try thousands of combinations of userid and password to try to guess a right combination. Once the site is hacked, personal and financial information will be stolen. hackers will focus on credit card information or other personal information they can use.
- Checking for vulnerabilities through the upload directory where they would upload a php script and try to execute it.
- Trying to overwhelm the system by executing scripting in long urls sent to the site.
- Phishing attacks where an email that seems to come from a bank or government agency and tries to either download a key logger on your computer, or ask you to enter your userid and password.
There are several good plugins that can be used for security. Highly recommended are Wordfence and iTheme security plugin. The following steps show you how to secure your website using iTheme security plugin:
Enable iTheme Network Side Protection
From your WordPress dashboard you should see the below notification. Click the “Get Free API Key” and enter your email address.
iTheme will send you security notifications. Make sure the right email is entered here
Ban repeat offenders: Users who get locked out more than a particular threshold:
You can configure the threshold here. The default settings are shown below and they are sufficient.
When someone tries to attack your website gets locked out it would be nice to be notified:
Enable 404 Detection
An http 404 error is generated when a user tries to access a file that is non-existent. Of course this can happen due to an old link or a broken file. However, some hackers can intentionally scan your website for vulnerabilities. This feature will lock such users out.
Away Mode (Optional)
One method of increasing security of your WordPress website is to disable access to the backend during certain times during the day. For example, would you need access during the day and night? While some websites do require around the clock access, others do not. Use this setting on a case by case basis. For all PalGeek Inc. websites we disable this feature because of the 24/7 support that we perform.
Ban Known “bad guys” from your WordPress Website
Enable Local Brute Force Protection
Any user or host that tries to access the website will be banned after a specified number of failed attempts. This is necessary to ensure that no machine or user can keep trying userid and password combinations indefinitely until they gain access to the site.
Database Backups (Optional)
This option allows you to create database backups whenever a configured period of time passes (default is 3 days). While this is a good option, at PalGeek Inc.’s websites we disable this option and we use other methods to protect and backup our database.
Enable File Change Detection (Optional)
This is a great option to have for a static type website where little change is expected. However, this may not be a good option for a website that is continuously changing (like being under development, or a private social network type website).
Enable Network Brute Force Protection
This feature allows iTheme security to share with your website and ban known IP addresses to be causing problems else where in the internet. This is a very powerful feature that can protect your website from hackers and spam agents before they attempt to access your website.
Enable Strong Password Enforcement
This feature allows you to force all users (you can select the minimum level) to use strong passwords.
This is part of the more advanced options that iTheme Security provides. Please enable all the options to enhance the security of your website.
Protect sensitive systems and do not allow the public to be able to read them.
Protecting Directory browsing will prevent users from seeing your file system in case there is no index file present.
Protect against suspicious requests in the URL which is a common method hackers may try to undermine your website by trying to execute malicious scripts.
Finally, protect system files from being written. BE CAREFUL: this should not be done if the website is still under development.
Disable users from being able to execute PHP scripts in the upload directory, which is another method a hacker may try to execute malicious code on your website/server if they are able to gain access to your upload directory (through FTP for example).
Here you can make changes to some of the existing WordPress features that can be used to gain unauthorized access to your website.
With the exception of the File Editor, which is a useful tool to have within your WordPress Website, please enable and select all the remaining options and recommended settings.
From the main dashboard of the iTheme Security plugin you can find the Malware Scan button. This scans your website for malware as well as check if your website has been banned anywhere or flagged for security issues.