Tutorial: iThemes Security Guide

Why install iThemes Security?  Well, if you are like us, you may have had your site hacked in the past,which caused either the site to go offline, redirected, or worse.  Quite often a hack can go unnoticed for months, diverting web traffic, spamming emails or worse.  Most hacked WordPress sites could have been easily safeguarded by taking simple precautions such as using a strong password, or installing a security plugin such as iThemes Security (previously known as Better WP Security).

Take a situation we found ourselves in just 18 months ago (before we used the plugin as standard on all our sites).  We were subject to a brute force WordPress attack whereby our WordPress installation was hacked, and code injected which diverted the domain to someone else’s site.  What is worse is that we used the same password for all our social media accounts, which were then taken over as well.  The first sign of the incident was emails alerting us to change of emails on those social media accounts.  Since installing iThemes Security we have not had a problem since.  Installing it is easy, and takes just a few minutes with our guide below.

What is iThemes Security?

It is an easy to use Security plugin for your WordPress sites. It’s designed to quickly and easily protect your site featuring a list of Security measures you can turn on or off, depending on your need. Countless devs, designers and freelancers all recommend it so you are in great company by installing it.

Protect your site in  30+ ways. Some of the highlights are:

  • Brute Force Protection – Limit the number of failed login attempts allowed per user. If someone is trying to guess your password, they’ll get locked out after a few tries. You can even white list your own IP, so you’re allowed more login attempts.
  • File Change Detection – If someone manages to get into your site, they’ll probably add, remove or change a file. Get email alerts showing any file changes so you know if you’ve been hacked.
  • 404 Detection – If a bot is scanning your site for vulnerabilities, it will generate a lot of 404 errors. The plugin will lock out that IP after the limit you set (20 errors in 5 minutes by default).
  • Strong Password Enforcement – Set which level of users on your site (admins, editors, users, etc.) need to have strong passwords. This is one of the best ways to secure your site.
  • Away Mode – Not making changes to your site 24 hours a day? Make the admin area inaccessible during specific hours so no one else can sneak in.
  • Email Notifications – Get email notifications when someone gets locked out after too many failed login attempts or when a file has been changed on your site.
  • Rename “Admin” account – Makes your Admin account less vulnerable.
  • Force SSL for any page or post – Added security to every single piece of content on your site.
  • Ban troublesome bots and user agents – Keep the bad guys out.
  • Change wp-content path – Make it difficult for hackers to find the files to exploit
  • Change the WordPress database table prefix – Make it difficult for hackers to find your database

Full list of features available here.

What does iThemes Security look like? (Dashboard screenshot)

 The plugin tells you which Security risks are high, medium, and low priority.  This enables you to make conscious decisions about the seriousness of each fix.  We certainly recommend implementing the High and Medium Priority fixes without delay.


iThemes Security Tutorial

We have put together (with the help of iThemes) a detailed tutorial that will take you through all the steps needed to secure your website from attack.  Whilst the screenshots show we are using the “Pro” version of the Plugin they apply to the free version as well.  In fact, we have used the free version without incident for 18 months.  However, with all the new features coming up for the Pro version it is well worth considering if you take your site security seriously.

1. Before you get Started

Before you get started securing and protecting your site, we highly recommend making a backup of your site (specifically your WordPress database, config file, and .htaccess file). The plugin allows you to make a basic database backup after activation, but they recommend making a backup before installation as well.  It never hurts though, to take your own backup as well.

In rare cases where web hosts severely limit resource usage or execution time the installation process may become interrupted, and should this happen during a database driven process (such as renaming database tables) it may need a restore from backup.  Whilst it is rare, it never hurts to take adequate precautions via your own backup.  We do not recommend relying on your web hosting providers courtesy backup.

Once you have a backup of your site, you’re ready to get started.

2. Installation and Activation

Follow the standard automatic or manual WordPress plugin installation steps by installing iThemes Security either via the WordPress.org plugin directory or by uploading the files to your server. Activate the plugin through the ‘Plugins’ menu in WordPress. After you activate it click the Secure Your Site Now button to start the process.

installation and activation

3. Important First Steps

important first steps ithemes security

Step 1: Backup your site again. It will make a basic database backup of your site and automatically send you the backup file to your designated email address. Click the Make a backup button.  We actually recommend going further than this, and backing up your files as well.  It may make changes to your .htaccess or wp-config.php file, so it is always useful to make sure that you can revert any changes in the rare event that something goes wrong during the installation process.

Step 2: Allow file updates.Many of the functions of this plugin require editing some of your files, specifically your wp-config.php and .htaccess files. Click the Allow file updates button to allow the plugin to safely update these files automatically.  Remember to take a full backup first!

Step 3: Secure your site.With the one-click secure button, you’ll enable all the default security settings recommended to secure your site. Click the One-Click Secure button.  By doing this, you get a basic level of protection within minutes, and even if this is all you do, you are still in better shape than if you had done nothing.  Of course, there are a few more tweaks you can make, as set out below.

4. iThemes Security Dashboard Overview

ithemes security dashboard

Security Status:  The Security Status section gives you a list of the remaining High, Medium and Low priority items that affect your site security. Click the Fix it button next to any item on the list to change the corresponding setting. They recommend completing, at least, the high priority items. These items will be moved to the completed section, once fixed.

security status

5. Details about each tab and how their features secures your site

Settings Tab:The Settings Tab allows you to customize your security setup on a feature by feature basis. Use the drop-down at the top of this page to easily navigate between sections.

settings tab ithemes

Advanced Tab: These settings should be used with extra caution on an existing site. Make sure you have a good backup before changing any setting on this page. In addition, these settings will not be reversed if you remove this plugin.

advanced tab ithemes

Backups Tab: The Backups tab allows you to create a database backup and adjust your backup settings. Click Adjust Backup Settings to customize how backups are handled on this site.

backups tab ithemes

Logs Tab: The Logs tab includes security logs of information collected like file change 404 intrusions and invalid login attempts. This information helps you get a picture of what is happening with your site and the level of success you’ve achieved in your security efforts.


Help Tab: From here you can get access to support and pro features in iThemes Security Pro. If you need help securing your site, you can have a security expert secure it for you or get access to hack repair from one of their trusted partners (such as Sucuri, who we mention briefly below).


What else should you be doing to secure your WordPress site?

Whilst we do not intend to go into huge amount of detail in this article other steps you should take, we have a few tips below:

  1. Pick a host that takes security seriously.  Many smaller hosts do not properly secure their servers, or if a Brute Force attack happens, they do not effectively deal with the attack before it not only affects the server but also accounts on that server.  For this reason we highly recommend SiteGround for any critical websites where even the smallest breach is disastrous.  Fortunately, SiteGround also offer a 25% discount on the Pro version for their customers.
  2. Setup Cloudflare.  Cloudflare has many security features, even on their free plan, but their Pro plan has many Web Application Firewalls (WAF’s) you can enable, including ones specific to WordPress.  Of course, some hosts like SiteGround also have their own WAF’s, but it never hurts to have more layers of security.
  3. Make sure you update your plugins and themes regularly.  Most of the common hacks / injections happen because of out dated plugins.  In most cases, the vulnerability is fixed in later versions, so not updating can leave your installation wide open to attack.  Also, always use a trusted source for your theme and plugins.
  4. Choose difficult passwords.  We actually use a free program called KeePass that allows us to store long and complex passwords.  All we do to use a password is copy paste so not even a key logger on our PC will find out the password!
  5. The corner-stone of any restoration of a hacked account is to restore your website to an earlier time to before the hack took place.  Don’t be fooled by web hosting providers offering backups… these are mainly for courtesy only, and their terms and conditions will soon tell you that they make no guarantee of backups being available.  Fortunately, theyoffer one of the best backup solutions around with their BackUpBuddy product (we will do a separate tutorial on this in due course), but there are others.  What we like about BackUpBuddy is the ability to back up to third-party storage such as DropBox, or AmazonS3 (our preferred solution).
  6. Monitor your website for hacks.  They also track for changes on your site, but we prefer a more proactive approach, and install the Sucuri WordPress Plugin. This will check the site for malware, spam, blacklisting and other security issues like .htaccess redirects, hidden eval code etc.  It also will verify all WordPress core files for changes which are useful to find hidden back doors and other vulnerabilities.  This plugin is free, but what we like about Sucuri is their paid service to actually remove malware from your site for just $89.99 per year.  They will also tell you how to plug the vulnerability, and if it gets hacked again during the year happily clean it up again.  We highly recommend it if you are facing problems.

What if you have already been hacked?

  1.  Seriously, prevention is better than cure… don’t wait until you are hacked to do something about it.  Follow the guide above, and other recommendations.
  2. If you find your site has been hacked, WordPress have a decent guide here on what to do.  It is well worth following if you intend to troubleshoot the issue yourself.
  3. Over and above that, we recommend restoring your website to a time before the hack took place.  If you cannot do this because you either have no restore point, or you do not wish to lose the data then you will need to consult an outside firm such as Sucuri.  As we said before, their service at just $89.99 is a bargain.

Final Thoughts

So, what is our verdict?  Well, in our opinion their two flagship products iThemes Security and BackUpBuddy are among the best solutions for both security and backups around, and ones we personally have used extensively.  Whilst you can buy each plugin separately for $80, you can actually buy their whole plugin suite for just $247, although if you are a SiteGround customer you can get 25% off this.  Regardless, it is a small price to pay for peace of mind.

Of course, there is nothing wrong with just using the free iThemes Security plugin as well!

Get Valuable SEO Insight into your domain

  1. Reply Eric June 19, 2014 at 3:53 pm

    Backupbuddy and iThemes Security DO indeed look great on paper but you only have to poke around their support forum and spend a minute on Google to figure out that these plugins have caused a lot of trouble for a lot of people.

    I’ve never actually accomplished a trouble free off site backup with Backupbuddy no matter what I do with PHP or memory allocation settings.

    One of the first things you should do before touching anything is tell it not to block your IP so you can log back in even if you screw up everything. But of course, at least when I gave it a spin a month or so ago, my IP was locked out after doing practically nothing.

    I’ve concluded that it makes so many radical changes to a WP install that it’s just not worth it when, in fact, you can make many of the most essential changes yourself.

  2. Reply iThemes May 28, 2014 at 7:41 pm

    Awesome guide. Thanks!

Leave a reply