Why install iThemes Security? Well, if you are like us, you may have had your website hacked in the past, which caused either the website to go offline, redirected, or worse. Quite often a hack can go unnoticed for months, diverting web traffic, spamming emails or worse. Most hacked WordPress websites could have been easily safeguarded by taking simple precautions such as using a strong password, or installing a security plugin such as iThemes Security (previously known as Better WP Security).
Take a situation we found ourselves in just 18 months ago (before we used the plugin as standard on all our websites). We were subject to a brute force WordPress attack whereby our WordPress installation was hacked, and code injected which diverted the domain to someone else’s website. What is worse is that we used the same password for all our social media accounts, which were then taken over as well. The first sign of the incident was an email we received alerting us to change of emails on those social media accounts. Since installing iThemes Security, we have not had a problem since. Installing it is easy and takes just a few minutes with our guide below.
What is iThemes Security?
It is easy to use Security plugin for your WordPress websites. It’s designed to protect quickly and easily your website featuring a list of Security measures you can turn on or off, depending on your need. Countless devs, designers, and freelancers all recommend it, so you are in great company by installing it.
Protect your website in 30+ ways. Some of the highlights are:
- Brute Force Protection — Limit the number of failed login attempts allowed per user. If someone is trying to guess your password, they’ll get locked out after a few tries. You can even whitelist your own IP, so you’re allowed more login attempts.
- File Change Detection — If someone manages to get into your website, they’ll probably add, remove or change a file. Get email alerts showing any file changes so you know if you’ve been hacked.
- 404 Detection — If a bot is scanning your website for vulnerabilities, it will generate a lot of 404 errors. The plugin will lock out that IP after the limit you set (20 errors in 5 minutes by default).
- Strong Password Enforcement — Set which level of users on your website (admits, editors, users, etc.) need to have strong passwords. This is one of the best ways to secure your website.
- Away Mode — Not making changes to your website 24 hours a day? Make the admin. area inaccessible during specific hours so no one else can sneak in.
- Email Notifications — Get email notifications when someone gets locked out after too many failed login attempts or when a file has been changed on your website.
- Rename “Admin” account — Makes your Admin account less vulnerable.
- Force SSL for any page or post — Added security to every single piece of content on your website.
- Ban troublesome bots and user agents — Keep the bad guys out.
- Change wp-content path — Make it difficult for hackers to find the files to exploit
- Change the WordPress database table prefix — Make it difficult for hackers to find your database
A full list of features is available here.
What does iThemes Security look like? (Dashboard screenshot)
The plugin tells you which Security risks are high, medium, and low priority. This enables you to make conscious decisions about the seriousness of each fix. We certainly recommend implementing the High and Medium Priority fixes without delay.
iThemes Security Tutorial
We have put together (with the help of iThemes) a detailed tutorial that will take you through all the steps needed to secure your website from attack. Whilst the screenshots show we are using the “Pro” version of the Plugin they apply to the free version as well. In fact, we have used the free version without incident for 18 months. However, with all the new features coming up for the Pro version, it is well worth considering if you take your website security seriously.
1. Before you get Started
Before you get started securing and protecting your website, we highly recommend making a backup of your website (specifically your WordPress database, config file, and .htaccess file). The plugin allows you to make a basic database backup after activation, but they recommend making a backup before installation as well. It never hurts, though, to take your own backup as well.
In rare cases where web hosts severely limit resource usage or execution time, the installation process may become interrupted, and should this happen during a database driven process (such as renaming database tables) it may need a restore from backup. While it is rare, it never hurts to take adequate precautions via your own backup. We do not recommend relying on your web hosting providers courtesy backup.
Once you have a backup of your website, you’re ready to get started.
2. Installation and Activation
Follow the standard automatic or manual WordPress plugin installation steps by installing iThemes Security either via the WordPress.org plugin directory or by uploading the files to your server. Activate the plugin through the ‘Plugins’ menu in WordPress. After you activate it click the Secure Your Site Now button to start the process.
3. Important First Steps
- Step 1: Backup your website again. It will make a basic database backup of your website and automatically send you the backup file to your designated email address. Click the Make a backup button. We recommend going further than this, and backing up your files as well. It may make changes to your .htaccess or wp-config.php file, so it is always useful to make sure that you can revert any changes in the rare event that something goes wrong during the installation process.
- Step 2: Allow file updates. Many of the functions of this plugin require editing some of your files, specifically your wp-config.php and .htaccess files. Click the Allow file updates button to allow the plugin to update these files safely, automatically. Remember to take a full backup first!
- Step 3: Secure your website. With the one-click secure button, you’ll enable all the default security settings recommended to secure your website. Click the One-Click Secure button. By doing this, you get a basic level of protection within minutes, and even if this is all you do, you are still in better shape than if you had done nothing. Of course, there are a few more tweaks you can make, as set out below.
4. iThemes Security Dashboard Overview
- Security Status: The Security Status section gives you a list of the remaining High, Medium and Low priority items that affect your website security. Click the Fix it button next to any item on the list to change the corresponding setting. They recommend completing, at least, the high priority items. These items will be moved to the completed section, once fixed.
5. Details about each tab and how their features secure your website
- Settings Tab: The Settings Tab allows you to customize your security setup on a feature by feature basis. Use the drop-down at the top of this page to easily navigate between sections.
- Advanced Tab: These settings should be used with extra caution on an existing website. Make sure you have a good backup before changing any setting on this page. Also, these settings will not be reversed if you remove this plugin.
- Backups Tab: The Backups tab allows you to create a database backup and adjust your backup settings. Click Adjust Backup Settings to customize how backups are handled on this website.
- Logs Tab: The Logs tab includes security logs of information collected like file change 404 intrusions and invalid login attempts. This information helps you get a picture of what is happening with your website and the level of success you’ve achieved in your security efforts.
- Help Tab: From here you can get access to support and pro features in iThemes Security Pro. If you need help securing your website, you can have a security expert secure it for you or get access to hack repair from one of their trusted partners (such as Sucuri, who we mention briefly below).
What else should you be doing to secure your WordPress website?
While we do not intend to go into huge amount of detail in this article other steps you should take, we have a few tips below:
- Pick a host that takes security seriously. Many smaller hosts do not properly secure their servers, or if a Brute Force attack happens, they do not effectively deal with the attack before it not only affects the server but also accounts on that server. For this reason, we highly recommend SiteGround for any critical websites where even the smallest breach is disastrous. Fortunately, SiteGround also offers a 25 percent discount on the Pro version for their customers.
- Setup CloudFlare. CloudFlare has many security features, even on their free plan, but their Pro plan has many Web Application Firewalls (WAF’s) you can enable, including ones specific to WordPress. Of course, some hosts like SiteGround also have their own WAF’s, but it never hurts to have more layers of security.
- Make sure you update your plugins and themes regularly. Most of the common hacks / injections happen because of outdated plugins. In most cases, the vulnerability is fixed in later versions, so not updating can leave your installation-wide open to attack. Also, always use a trusted source for your theme and plugins.
- Choose difficult passwords. We use a free program called KeePass (Editor’s Note: We now use LastPass) that allows us to store long and complex passwords. All we do to use a password is copy and paste so not even a keylogger on our PC will find out the password!
- The cornerstone of any restoration of a hacked account is to restore your website to an earlier time to before the hack took place. Don’t be fooled by web hosting providers offering backups … these are mainly for courtesy only, and their terms and conditions will soon tell you that they make no guarantee of backups being available. Fortunately, they offer one of the best backup solutions around with their BackUpBuddy product (we will do a separate tutorial on this in due course), but there are others. What we like about BackUpBuddy is the ability to back up to third-party storage such as Dropbox, or AmazonS3 (our preferred solution).
- Monitor your website for hacks. They also track for changes on your website, but we prefer a more proactive approach, and install the Sucuri WordPress Plugin. This will check the website for malware, spam, blacklisting and other security issues like. htaccess redirects, hidden eval code, etc. It also will verify all WordPress core files for changes which are useful to find hidden backdoors and other vulnerabilities. This plugin is free, but what we like about Sucuri is their paid service to remove malware from your website for just $89.99 per year. They will also tell you how to plug the vulnerability, and if it gets hacked again during the year happily clean it up again. We highly recommend it if you are facing problems.
What if you have already been hacked?
- Seriously, prevention is better than cure … don’t wait until you are hacked to do something about it. Follow the guide above, and other recommendations.
- If you find your website has been hacked, WordPress have a decent guide here on what to do. It is well worth following if you intend to troubleshoot the issue yourself.
- Over and above that, we recommend restoring your website to a time before the hack took place. If you cannot do this because you either have no restore point, or you do not wish to lose the data, then you will need to consult an outside firm such as Sucuri. As we said before, their service at just $89.99 is a bargain.
So, what is our verdict? Well, in our opinion their two flagship product iThemes Security and BackUpBuddy is among the best solutions for both security and backups around, and ones we have used extensively. While you can buy each plugin separately for $80, you can buy their whole plugin suite for just $247 although if you are a SiteGround customer, you can get 25 percent off this. Regardless, it is a small price to pay for peace of mind.
Of course, there is nothing wrong with just using the free iThemes Security plugin as well!
Jonathan Griffin Editor, SEO Consultant, & Developer.
Jonathan Griffin is The Webmaster's Editor & CEO, managing day-to-day editorial operations across all our publications. Jonathan writes about Development, Hosting, and SEO topics for The Webmaster and The Search Review with more than nine years of experience. Jonathan also manages his own SEO consultancy, offering SEO developer services. He is an expert on site-structure, strategy, Schema, AMP, and technical SEO. You can find Jonathan on Twitter as @thewebmastercom.