When we talked about WordPress Security basics one of the resources I talked about and recommended was iThemes Security Pro. iThemes Security Pro is a paid plugin but I have provided you with a download link for it here.
Links to Try Out iThemes Security Pro
There is your BackupBuddy download and there’s your iTheme security download. You won’t get the next update that comes along for these and you are not going to get support from them for it but you will get a chance to see how it works.
So these links give you a chance to test them out and use them as long as you want. But I encourage you at some point to buy it or to replace it with something that you like better.
Why I Don’t Recommend WordFence
I think iThemes security is far and away better than, for example, Word Fence. Word Fence is just an incredible resource hog. It slows your site way down and fills your database with tons and tons of stuff. iThemes security is much more lightweight and it doesn’t do the same thing to your database I wouldn’t ever consider using Word Fence but I happily recommend using iThemes security.
Install the Plugin
Since I recommend using it I want to show you how to install and configure it. We’ll start by installing it here on this Professional Services website we’ve been working on creating in this course.
Go to plugins and add new. And upload the plugin and choose a file and then iThemes Security Pro 3.62. There is a free version of it too but I’m going to want to show you the features that the pro version has because they are pretty compelling.
Development Work and Security Plugins
For some of these things you can’t do development work on your site and have the security plugin running.
Deactivate or Wait to Add
When you’re doing development work on your site you’re trying to change things. When you’re changing CSS or updating skin design options that process actually creates a file on the server and it changes that file on the server. Well, one of the things that security plugins often do is prevent that from happening.
You have to have to consider removing or deactivating the plugin. You don’t want the security plugin while you’re doing development. Then once you are done you can reactivate or add a security plugin.
If Development Takes a Long Time
If you’re taking a really long time to finish your development, then the best form of security for you is just to password protect your whole site and you don’t have to worry about it at all.
Making a Quick Change to Your Site
Sometimes you want to make a change after your security plugin is active. In that case, you just need to deactivate your plugin before you can make changes because it is really going to lock everything down.
Extra Security Protections Offered
This plugin will allow you to set up two factor authentication. And even if you don’t have a licensed copy for this because you are trying it out, you can still get this brute force protection. Just click this button and hit save settings. You’ll get the brute force protection of available here.
Configure Security Settings – Free and Pro
If you have purchased a copy then you can come over to settings and iThemes licensing. Come down here to security and go to settings first.
And I’m going to click security check. Which is configuring the settings. And as soon as we hit the secure site all the listed modules here will be be activated. Now we can close it.
Then I’m going to come over to global settings and I’m going to allow iThemes Security to write to wp-config and htaccess. I’m going to give the right notification email. I’m going to ask for a digest email of security so that once a day it will tell me if anything has happened rather than getting an email every time something happens.
This is a lockout feature for people who have a lot tried to log in too many times. This will flag the IP address of somebody who’s tried to log in too many times elsewhere. So this is actually communicating with iThemes and and when IP address try to log in that I have already been blacklisted this is going to be protected.
Blacklist Thresholds and Membership Sites
You want to blacklist repeat offenders. Blacklist thresholds is currently at 3 and that’s fine for a personal site but this is not going to work for a membership site. If you’ve got members trying to log in to your site you can’t only give them three chances. Really, even five chance is not enough. I know because I needed to raise my site’s login attempt limit to ten.
That does mean the hackers can try ten times to get in before they get blocked out but it also means that none of my members who don’t remember their passwords get locked out.
The White List – You’ll Never Be Blocked
There is a lockout white list which allows you to add yourself or anyone else you wan to this. Just grab your current IP address like that and add it to the white list. That way you can mess up as many times as you want and it won’t matter because it’s got your IP address on it.
Email lockout notification sends you an email when somebody gets locked out.
We’re going to keep Log Type as in the database only but we’ll only keep that log for fourteen days. After that it gets thrown away.
And we’re going to allow iThemes to track plugin usage via anonymous data because we want them to know what’s happening to our site so that that can help other people if we’re being attacked.
We don’t really have to worry about any of the rest of these and we don’t really need to show error codes. So we’ll just leave it like that and save our settings for the global settings.
We’re going to enable 404 detection. If somebody is trying to find a page that they think might be insecure and that page doesn’t exist this will be triggered. That’s one of the things hackers do is they search for lots of different pages. Well, evidence that that’s happening to you is that there are a bunch of 404 errors from the same IP address. This solves that for you.
You could entirely block access to the WordPress dashboard on a schedule but I wouldn’t.
Banning Users and Local Brute Force Protection
You can ban users based on specific IP addresses and that is enabled. If you want to add your own list of IP addresses that you want to ban you can do it here. The same thing is true with local brute force protection. This will this will protect you from that.
Database Backups, File Permissions and SSL
Database backups allows you to create a backup of your database. They can be created manually and on a schedule. Well, we’ve already enabled our regular backups on this so I’m not going to bother with that here.
Let’s look at file permissions. Click the button to load the current file permissions details. Okay those look fine. Brute force protection is already to enabled.
If you’ve got SSL on your site, then you would enable this and go through that process. You can require strong passwords and enforce it if you wish. It’s on now.
There are system tweaks that you can add. If you enable the system tweaks then you can protect system files and you can disable directory browsing. We’ll do both of those but you don’t want to check request methods because it will arrest API.
We can filter suspicious Query strings in the URL. We can filter out non English characters. We can’t filter long URL strings unfortunately because the Google API strings are long and so if you are using Google API, you can’t do that.
You can remove file writing permissions. That can mean that some things don’t work properly, but at this point pretty much everything that we want in the htaccess file and WP-config file have already been added. So, we can go ahead and disallow any writing to those.
We can disable PHP in uploads. We can disable PHP in plugins. We can’t disable in Thesis we can’t disable PHP in themes. Although I suppose we can here because this is the themes directory. Let’s save those settings now.
Let’s go to WordPress tweaks. Here you can you can remove the Windows Live writer header. if you’re not using things like Flickr and other XML stuff you can remove the RSD. And definitely check reduce comment spam.
We can disable the file editor which is I think a very good idea because you shouldn’t be editing the files directly from here anyway. We can also disable XMLRPC unless you’re using Jetpack or the WordPress mobile app. If you are then you’re going to leave it set as enabled.
And we’re going to leave restricted access. We don’t need to replace JQuery with the safe version because we’re already okay with that. We’ll disable the extra user archives. We’re not going to protect against tabnabbing because this takes out that target equals blank ability. I think the risk is fairly low and benefit of having that is pretty high. Save those changes.
Configure Security Settings – Pro Only
Now we’re down into the things that are available only in the Pro version. Everything you’ve seen so far is available in the free version.
Pro has Malware Scan Scheduling, Privilege Escalation, Password Expiration, reCaptcha, Settings Import Export, Two Factor Authentication, User Logging, Version Management and User Security Check.
I’m going to configure Malware Scanning. It uses a Sucuri to scan for malware. Those settings are fine so we’ll save that.
We’ve already got reCaptcha so we’re going to leave that off.
We’re going to configure this Version Management. We’re automatically going to install the latest WordPress release and we can automatically install the latest plugin updates and the latest theme updates.
If you’re using plugins that are both mission critical and sometimes flaky don’t check this Plugin Updates. On the Professional Services Architecture site we have built it’s no problem so we can check that which means that lots of stuff will happen properly.
And then this Strengthen Site when Running Outdated Software were going to check because it automatically adds extra protections if there’s been update available but hasn’t been actually happened.
And you can scan your hosting account for old WordPress sites. So that even though this site’s being protected you won’t know what’s going on and other sites that will help. It will tell you whether or not you’ve got old sites that need extra work. And let’s save those changes.
User security check I’m not using two factor authentication currently so we’re just going to leave that alone.
File Change Detection
There was one other that I missed. Go back up in the list and here it is, File change detection. I’m going to enable file change detection. Yes, we will split it into chunks. And then we’re going to exclude selected and what we’re going to exclude here is WP-content and then Thesis. We want to let Thesis skins change files that’s why we’re going to exclude that here but otherwise we’re going to prevent all file changing.
We can ignore these file types here. For e-mail file change notification we are going to leave it checked. Display file change admin warning, leave that checked. And we’ll enable online file comparison as well. Save those settings.
So the only things we aren’t doing is SSL, the Away Mode. And we can do privilege escalation later if we’ve got a problem. I don’t like automated password expiration, that drives me little nuts.
We’re not going to do reCAPTCHA because as I said it’s already being used. We’ve got this completely handled. Otherwise we’re pretty well done with the settings.
If you want to scan your home page for malware you can do that here just to see what happens. It’s going to come back in a minute with a report. It’s clean and it’s not on a blacklist so it’s in a good state right now.
It’s going to be very very difficult to hack this site unless of course they know your password. If they know your password it’s a whole different story. Otherwise it’s very very difficult to break into the site, to put malware on it and you get in trouble. So that’s why I like it and I encourage you to use it as well.