A Guide on Using iThemes Security Plugin Efficiently

WordPress takes security very seriously. While the core files and the framework itself are very secure, the ultimate security depends on you. It is you who have to make sure that your WordPress-powered website is following the best security practices. Luckily, there are some free security plugins which can help us in doing this.

Among the various security plugins for WordPress, iThemes Security is a very popular one. Formerly known as Better WP Security, this security plugin has been downloaded for more than 3.5 million times from the official plugin directory. Today, let’s discuss about using the iThemes security plugin, its settings and configuration to ensure proper security for your website.

Installing & Setting Up The Plugin

First of all, install and activate the plugin in your website. Once you have activated the plugin, you will see a page like the following:

ithemes security plugin

We will talk about the first notice later in the article. Let’s start with the second notice first. Click the ‘Secure Your Site Now’ button. That will bring a new pop-up menu like the following –

ithemes plugin settings

‘Make a backup’ will create a backup of the database of your website. This is the first step for using this plugin. ‘Allow File Updates’ will permit the plugin to change two core files of your WordPress installation – the .htaccess and the wp-config.php file. This is required to use some of the features of this plugin. ‘Secure Your Site’ will enable the basic security settings that won’t conflict with other themes or plugins.

And lastly, the ‘Help Us Improve’ section will send anonymous data about your usage to the plugin developers. Once you are done with these options, click the ‘X’ button on the top-left corner of the pop-up box.

Now, did you notice that iThemes Security has added a new menu item in your website back-end?

The Dashboard

Let’s start with the dashboard. Go to Security -> Dashboard.

The ‘Getting Started’ area includes links to introductory videos, support and the pro version. Then, there is the ‘Security Status’ section, which is the most important part of the page. This section lists problematic items according to their severity. The items are divided into four categories – High Priority, Medium Priority, Low Priority and Completed. While the first three categories include potential issues, the last category shows the issues that are already taken care of.

using ithemes plugin settings

Besides each issue, there is a ‘Fix it’ button. The button will take you to the relevant section of the ‘Settings’ page to take care of the issue. You are strongly recommended to fix the high and medium priority issues. And if possible, try to review the low priority ones and fix them as much as possible.

The next section is titled ‘System Information’. It provides detailed information about the current user, file system, database, server, PHP, WordPress and the plugin.

ithemes system information

Then, there are the lockouts and re-write rules sections.

Using iThemes Security Plugin

Next, go to Security -> Settings. This is the page where you will define all the settings for iThemes Security. The first section is ‘Global Settings’.

Global Settings

We already allowed the ‘Write to Files’ option, remember? Now, provide an email address for the notification and backup delivery emails. Check the ‘Send Digest Email’ box to limit the number of notification emails. Then, set the messages for host lockout, user lockout and community lockouts. You can use basic HTML tags in the message. The next few options will allow you to set the number of allowed lockouts per IP, the number of days for the lockout and the lockout period for individual hosts or users.

The ‘Lockout White List’ will allow you to manually add IP addresses that will be whitelisted. Checking ‘Email Lockout Notifications’ will send an email notification when a user or a hot is locked out of your site. It is recommended to leave the rest of the options of this area as they are.

using ithemes security plugin

404 Detection

404 Detection detects the user who is looking for lots of non-existing pages and, therefore, receiving lot of 404 errors. In this case, this function assumes that the user is intentionally looking for weak points or vulnerabilities of the WordPress site. As a precaution, the user will be locked out from the website. All the errors will be saved and viewed later. Therefore, this feature can also help you in finding out hidden problems on various parts of your website.

Once you have checked the ‘Enable 404 detection’ box, some additional options will be revealed. By using these options, you will be able to set the number of minutes for finding out such incidents, the number of 404 errors to trigger a lockout, white list and ignored file types.

ithemes security detection

Away Mode

This option will allow you to limit access to your website dashboard for a specific time or at a particular time every day. By doing this, you can rest assured that while you are away, no one can access the dashboard. To enable this, check the ‘Enable away mode’ box.

Next, you will find some additional options below. If you have chosen one time as the limit type, set the start date and time and the end date and time. If you selected Daily restriction, then set the start and end time for the restriction.

Banned Users

If you want to ban any particular host or user agent, you can do that from this section. To do that, check the ‘Enable ban users’ box and then provide hosts and/or user agents you want to block in your website. Additionally, you can check the ‘Enable HackRepair.com’s blacklist feature’ to use its blacklist.

Brute Force Protection

WordPress is known for its weak defense against brute force attacks. However, you can bypass this weakness by using iThemes Security’s Brute Force Protection feature. Remember we skipped the first notice at the beginning of this article. The first option of this section refers to that notice. If you clicked on that notice, you would have been brought here.

Check the ‘Enable local brute force protection’ to enable this option. Once thus is enabled, you will find some additional options below. These options will allow you to limit login attempts per host, per user and the time limit for counting login attempts.

WordPress brute force protection

Database Backups

Having a complete WordPress backup is one of the most reliable ways of protecting your site against potential threats. If you have a full backup, you can restore your website any time you want. The first check box will include all tables in the database.

Then, you can choose to save your backups as email, locally or even both. You can also set the backup location, keep specific number of backups, compress backup files, exclude certain tables from the backup and schedule database backups. The last option will reveal another hidden option which sets the backup interval.

File Change Detection

This feature will let you know if any file of your website has been changed. If anyone tries to hamper your website, he will have to change file(s) in order to do that. By enabling file change detection, you will be alerted immediately in case of such incidents.

Hide Login Area

If you enable this feature, the defaults login pages like the wp-admin.php, wp-login.php, etc. will be hidden. Therefore, anyone trying to get unauthorized access to your website will have a hard time in doing so. After checking the box, set the login, register and theme compatibility slugs.

Malware Scanning

In order to enjoy this feature, you have to register with VirusTotal and get an API key from them. Do so if you want to enable it, I will skip it though.

ithemes plugin for security

Secure Socket Layers (SSL)

SSL encrypts the transmitted data between the users and your website. Therefore, hackers or abusers will not be able to intercept the data transmission process. If your host supports SSL, then you can apply it to your website by enabling this feature. You can apply SSL to the whole site or selected sections only.

Applying SSL to the entire site will make it slower. Therefore, it is recommended to use SSL in selected pages like the login page, admin area or any other page that contains sensitive data.

Strong Passwords

Enabling this feature will force the new users to choose strong passwords for their account. You can determine the minimum level of users on which this feature will apply. If your website is open for public registration, then you should not select Subscriber, Contributor and probably Author as the minimum role.

System and WordPress Tweaks

In these areas, iThemes Security provides you with some advanced level settings for ensuring a more secure website. However, some of these tweaks could conflict with your existing themes or plugins. Therefore, it is highly recommended that you test your site thoroughly after enabling each of these features.

WordPress security passwords

Advanced Features

Let’s move on to the advanced features now. This is in Security -> Advanced. The first section is ‘Admin User’. This section will allow you to change the standard user attributes so that hackers can’t exploit these characteristics. You have to provide a new name for the ‘admin’ account. Then, there is an option to change any user with the ID of 1.

Next section is ‘Change Content Directory’. Usually, all of your contents are stored in the ‘wp-content’ directory. Therefore, attackers can easily target that particular list to hack your website. Changing the directory name could add an extra layer in your overall security.

‘Change Database Prefix’ is the last section of this page. By default, all the WordPress tables in the database are prefixed with ‘wp_’. Being a well-known fact, potential hackers can write a script to find out such tables. Changing the default table prefix will make the job harder for them. However, before enabling this feature, it is strongly recommended to have a complete backup of your database.

ithemes advanced features

Other Features

  • Next is Security -> Backups. This page does not have lot of options. In the ‘Make a Database Backup’ section, you can create a database backup. We already set up backup options, remember? There’s nothing more to do here.
  • Go to Security -> Logs. This page will show you all the records created by iThemes Security. By clicking on the ‘Details’ link of each log, you can view detailed information about that event. You will also be provided with the time, host, user and URL of the events. And lastly, there is a ‘Clear Logs’ button to remove all the logs.
  • In Security -> Help, you will find a link to free support and some other promotional offers if you want to use the Pro version of the plugin.

Now Read: Essential WordPress Security Plugins


If you followed me throughout this guide, congratulations, you would have a more secure website. However, security is a continuous process, and you always have to work your way around it. So, don’t just depend on security plugins, use your common sense too.

If you have any confusion about the article, or want to share some tips on making WordPress sites more secure, feel free to use the comment box below.

Leave a Reply

Your email address will not be published. Required fields are marked *