How To Configure iTheme Security Advanced Features

In our previous post, we looked at how to configure iTheme Security Basic Features.  In this post we look at some of the more advanced options.  Keep in mind that these should only be used by experienced users, and that you must backup your website and backup your database before attempting these features.

What Are The Advanced Features For?

The basic itheme security settings harden your WordPress website by going through an extensive, yet standard list of vunerabilitie such as enforcing strong passwords, changing file permissions, banning known bots, enabling brute force lockouts, detecting file changes, etc.  The advanced features on the other hand modify the way wordpress itself is structured to defeat automated scripts and bots that scan for vulnerabilities.


Getting to the iTheme Security Advanced Features

From the plugin settings page, click on the Advanced tab.

advanced itheme security dashboard

Advanced iTheme Features look at the following main areas:

  1. Default admin userid and number (admin, 1)
  2. Default admin area URL (wp-admin)
  3. Default content directory (wp-content)
  4. Default database prefix (wp_)


Default admin username and ID

Change admin user

The default wordpress admin username is “admin”, and the default user ID is 1.  Obviously this makes it easier for automated hacking scripts to attempt to gain access to your website.  However, if you use a username that is not a standard user id then these automated scripts will need to figure out two things, the userid as well as the password to gain access and take over your website.

itheme security plugin change admin user


Hiding The Admin Backend

Hide backend

One of the standard WordPress settings is admin login area, typically at  This feature changes the admin area login to something else that you would select.  Please do not use ‘secretlogin” 🙂

Please note that you must backup your website before you make the below change.

iTheme Security hide admin area

Default Content Directory (no longer recommended).

Change Content Directory

Please note that his is no longer a recommended setting since most attack bots and scripts can find the content directory in a programatic way.


Default database prefix (wp_)

Change database prefix

Another default setting in all wordpress websites is that the database prefix starts with wp_  That makes it easier for attack bots and scripts to scan for your database.  This feature creates a random database prefix that makes it much harder for these bots to guess your database name.  To make the change look for the “Change Prefix” setting and set that to “Yes” and then save your settings.

Change prefix

Pin It on Pinterest

Share This