How To Configure iTheme Security Advanced Features
In our previous post, we looked at how to configure iTheme Security Basic Features. In this post we look at some of the more advanced options. Keep in mind that these should only be used by experienced users, and that you must backup your website and backup your database before attempting these features.
What Are The Advanced Features For?
The basic itheme security settings harden your WordPress website by going through an extensive, yet standard list of vunerabilitie such as enforcing strong passwords, changing file permissions, banning known bots, enabling brute force lockouts, detecting file changes, etc. The advanced features on the other hand modify the way wordpress itself is structured to defeat automated scripts and bots that scan for vulnerabilities.
Getting to the iTheme Security Advanced Features
From the plugin settings page, click on the Advanced tab.
Advanced iTheme Features look at the following main areas:
- Default admin userid and number (admin, 1)
- Default admin area URL (wp-admin)
- Default content directory (wp-content)
- Default database prefix (wp_)
Default admin username and ID
The default wordpress admin username is “admin”, and the default user ID is 1. Obviously this makes it easier for automated hacking scripts to attempt to gain access to your website. However, if you use a username that is not a standard user id then these automated scripts will need to figure out two things, the userid as well as the password to gain access and take over your website.
Hiding The Admin Backend
One of the standard WordPress settings is admin login area, typically at domain.com/wp-admin. This feature changes the admin area login to something else that you would select. Please do not use ‘secretlogin” 🙂
Please note that you must backup your website before you make the below change.
Default Content Directory (no longer recommended).
Please note that his is no longer a recommended setting since most attack bots and scripts can find the content directory in a programatic way.
Default database prefix (wp_)
Another default setting in all wordpress websites is that the database prefix starts with wp_ That makes it easier for attack bots and scripts to scan for your database. This feature creates a random database prefix that makes it much harder for these bots to guess your database name. To make the change look for the “Change Prefix” setting and set that to “Yes” and then save your settings.