by Adam Preiser updated December 27, 2017

How To Secure Your WordPress Websites With iThemes Security – Review & Tutorial


Share on facebook
Share on twitter
Share on linkedin

Continuing on in this WordPress security series, in this video, I will show you how I like to configure iThemes Security.

iThemes Security is the perfect plugin to secure your websites, in fact, I use it on all of my websites.

There is also a Pro version of the plugin. It's nice to have, but I personally don't really use that many of its features, so this video is only on the free version of iThemes Security.

Here is the link to take a look at the pro version if that interests you:

Video Transcript

In this video many teach you how to secure
your website using the free plug-in iThemes

Security hi my name is Adam from
where I make WordPress videos for non-techies

if you enjoy the cut in this video consider
clicking on the subscribe button if you want

notifications there’s a little bell off to
the side of that you can click on that new

tube will let you know when I got some new
videos out so this is a another video in the

security video series that I have going on
right now for WordPress in the first video

in the series I took a look at all the various
security plug-ins and I gave some food for

thought on those plug-ins that enable you
to make the best decision for you this video

those just to be about one of those plug-ins
I talked about and it happens to be the one

that I personally use on my websites and it’s
called iThemes Security now there is a free

version and a paid version the free version
can be downloaded right here on

and I’ll have a link down below to this in
the paid version is right here and there some

additional bells and whistles although like
I said in the first video of this series even

though I have the Pro version installed on
my website I don’t really use a lot of the

pro features so it’s not one of those must’ve
by type of things and one of my favorite features

and I talked about this in depth in the first
video of this series is to have a security

plug-in where you can link into a shared database
of resources of hackers that are trying to

hack into websites so that you can kinda be
proactively secured by the plug-in and that

is something that iThemes Security has let
me scroll down to show you what they actually

call it it’s right here they call it the iThemes
brute force attack protection network and

that is what you want to something just like
that so anyways idling down below let me just

go over the pricing of this real quick I don’t
think it’s that expensive and I’m scrolling

down it’s right here they have a single site
version are two side versions 80 bucks a year

or you get a lifetime version for 300 bucks
that’s perfect if you’re an agency and you

are you making websites for people or you
work on WordPress websites for people to offer

this as a service and that’s only 300 bucks
lifetime but you get a year of support I’ve

never needed support so here we are on the
go to plug-ins add new and let’s go ahead

and install this sucker I write someone to
just do my search for iThemes Security and

here it is now this used to be called better
WP security and this was actually plugging

that was acquired by iThemes and I’m glad
they did that because ever since I did that

they’ve added so much more to it it’s definitely
a great solution okay so go ahead and click

on in stall and then I’m going to activate
it now I did consider in this video adding

the paid version but I will just go over the
free version in this and you can look at the

sales page to see the features that come with
the paid version of the plug-in I do have

a course on security though or I do go over
the Pro version of the plug-in summit go ahead

and activate it in order to go through it
all to gather for the first time so actually

is one thing I really don’t like about web
plug-ins and stuff like that where they put

big notifications here but I get it so right
here is a notification that let you know what’s

new with the plug-in and then this right here
is actually going to be super important and

it says right here take your site secured
to the next level by activating iThemes brute

force network protection this is a feature
that I was saying and I keep saying you want

you want you want to go ahead and click on
this right here to get a free API key it doesn’t

cost any money so let me just go ahead and
close both of these notifications now and

will go through that in a moment going ahead
and getting that API key it’s a super simple

process alright so right here is this a new
option right here that was added to the menu

system and we only have a couple options in
here our settings as a security check logs

and a link to get the Pro version however
if you do want to get the Pro version please

do through my website if you did purchase
it through the link on my website I give you

access to my security training programs called
WordPress security essentials I give you access

to that for free it’s normally hundred dollars
okay so this is what I like you click on settings

you haven’t been here before and there’s this
easy one click option word saying these are

the things that this plug-in brings the table
that you need to enable in order to secure

your website so it’s literally like one click
Solomon go ahead and click this here and part

of what it is going to do is get me that API
key and that’s actually the first thing right

here it says so essentially to get the AIPAC
API key just to give him your email address

I gave him my email address may be years ago
they don’t spam you or anything like that

they’re totally legit company iThemes is right
here if you want updates like informational

updates via email you can leave this on yes
or you can put it on no irony get those updates

via email so you want to go ahead and click
on this button here to activate the brute

force protection and it’s good to go ahead
and pull an API key in now the reason I’m

getting this red warning is because this WordPress
website that I’m on right now is actually

on my local computer you can see in the URL
to that means it’s a local WordPress

installation on my machine iThemes Security
knows that in the spaces and whoa you don’t

need an API key there’s no reason to give
you an API key because is not a public website

but if I did have this on or any of
those type of website addresses it would know

I’m not on my local machine and it would’ve
given me that API key thing is he here it

did a bunch of the other things that it said
it was going to do and we can just go ahead

and click on close so right now you are way
ahead of the game you could stop right now

if you wanted it now if you want to know all
the fine details of this plug-in I’m in a

continue going on but just what you’ve done
so far you’ve connected into the brute force

network you secured your login form from someone
trying to try a bunch of different usernames

and passwords you there’s just a whole laundry
list of things you just secured your site

from with one click and I really like that
so as you notice right now there’s quite a

bit of settings here are for this plug and
that’s a whole bunch now there’s two different

views and they at least try to make this easy
by grouping them together so right now you

see him in these groups and then you can just
click on these buttons and see the specific

settings on it but here’s a little icon you
can click and it just shows them in the list

if you like this this might be a little easier
to process one thing I don’t like is it’s

not like sorted alphabetically it’s kind of
sorted by priority or what they feel priority

is so I’m looking at the recommended there
is also some advanced in right here I can

just click on this and it just to show me
all of the various settings now here are those

of Pro ones that you only get if you have
the Pro version installed that’s malware scan

scanning privilege escalation that’s if you
want to temporarily allow a vendor to fix

something in your website password expiration
I don’t like that personally recapture is

actually very cool that’s going to help reduce
the spam that your comments section might

get but there’s also other plug-ins for that
I really like settings import and export two

factor authentication don’t like that user
logging don’t like that user security check

in version management so you can decide if
the paid version is for you or not so now

what I’m to do is I’m in is just start blasting
through these different sections and telling

you some of the things mean I want to try
to go in depth but not so indent that this

is a superlong video I know we all have other
things to do we just want secure websites

so with that said let’s get started so I believe
this security check one when I click on configure

settings it’s really just that first step
that we went through so it’s kind of showing

you so these are the things that it enabled
by default a for us let me go ahead and click

on cancel and collapse that that we have our
global settings here that you can take a look

at now a lot of this is just your general
setting so here’s a notification email that

the plug-in will use to notify you of things
this there’s actually gotta make sure I get

this setting right there is a setting that
if someone tries to log into your website

and fails you get a notification those things
will drive you nuts so we gotta make sure

that we disable those so here’s that enable
or disable the digest that’s going to be just

kind of a email letting you know that the
plug-in is doing what the plug and supposed

do backup delivery email this doesn’t back
your website but it will back up the database

of your website which is really good so next
we have some messages that people would get

when they’re trying to do things that they
shouldn’t do or they’re making mistakes and

so this will be what happens if someone is
trying to log in and there’s problems with

that the message is that there and get here’s
even the lockout message so you can make it

say something fun or friendly or just go with
what it says right here this is actually really

cool so this is the message I guess relate
if someone’s attacking some other website

that has iThemes Security and then they try
to go in and do some hacking on your website

this is the message that they’re going to
get now when we scroll down we’ve got some

thresholds here so this is where you define
how many times someone can try to login before

you identify them as someone that’s trying
to just hack into your website now typically

if you have a website where you’re the only
one logging in is the admin you can set this

number on the low side but if you have a website
like mine more people are login and people

are bound to unfortunately forget their passwords
from time to time and you don’t want to make

it an administration nightmare for you for
a customer try to log in your website but

then they get black blow locked out and then
they contact you and then you have to take

some your time to fix something or to remove
their ban it can be a bit of a pain in the

butt so you might want to set these thresholds
based upon how you use your website and there’s

also how long they’ll be locked out for right
now by default it’s 15 minutes so for me I

said this days to lot longer in the lockout.

A lot longer because typically someone maybe
on my website people good about remembering

their passwords is very rare that they don’t
remember their password and there’s also a

password reset option and right here you can
actually add People’s IP address is there’s

a white list and a blacklist feature here
and this will explain how that works that’s

a little on the techie side in this what you
don’t want okay email lockout notifications

you’re gonna want to disable this thing because
it’s going to get annoying getting an email

every time someone can’t login properly or
some is trying it’s not that those are emails

are finest but is when some try to hack into
your website and they’re trying every username

under the sun there to get all kinds of different
emails it’s going to get annoying really quick

so right here it will do logging you can choose
to have a log in the database or file or both

it’s up to you how long you wanted to log
things and a link to those log files this

all be set by default you might want to just
leave that the same if you want iThemes Security

to be able to see how using the plug-in you
could check this box right here I would check

it and to these are some other settings here
that you might not need but this you might

want to enable and I do it’s as tight security
in the menu admin bars you can see it’s a

security here I don’t need a shortcut there
this area gets a little crowded so I like

to disable that myself let me go to save settings
and see if that that disappears I bet if I

refresh the page that would disappear okay
so 404 detection this is actually I think

good to enable so this let you know if someone’s
going to a page or searching for patient that

are going to a URL on your website that doesn’t
exist typically your website will show was

called a 404 page and this will kind of track
with those guys are doing and you can even

ban people based on that so a second look
at the settings when we enable it so we have

the same thing we have these same thresholds
here now what I’ve noticed is actually surprise

it doesn’t enable that by default what I’ve
noticed is if a plug-in that has a vulnerability

that the way it’s exploited is going to a
specific URL yet the scanners out there looking

on that specific URL to see if whatever exists
and then they’ll hit a 404 page so this helps

monitor that and secure you for that as well
now the away mode this is that thing I was

telling you about let me enable it to let
me expand it and then enable it right here

the enable mode you gotta make sure you set
the time right and you have to have the time

zone set properly in WordPress for your website
you just go to general settings but this will

make it so no one can log in at all during
certain hours is good if you know you’re going

to be sleeping during a certain period of
time and no need to be logging in it just

you that logs of the website you might want
to enable this however if you do enable this

and you want to log in your website it’s going
to be a major rear end up are a pain in the

rear end because you won’t be able to log
into your websites on the go ahead and cancel

it and that’s definitely up to you so that
was the away mode band users now this right

here is where if say you had someone’s IP
address and you want to ban them from your

website you just put their IP address right
here and it will ban them specifically and

you can also opt in right here to and on the
line the blacklists and these are you know

computers that are known or are websites that
are known to be spam he hacking all that you

can just globally Banham by clicking on this
checkbox right here I do have that enabled

and I haven’t seen any problem no one said
hey am trying to reach your website and I

can’t do it so that is this option hear the
band users and I like that they have that

and there have been times where someone’s
may be harassing me and I have their IP address

I’m just in a pop IP address in here and then
they can no longer access my websites I do

that a lot local brute force protection right
here this is where you’re going to set the

attempts of someone trying to hack into your
website and how long to remember those attempts

of putting in a password wrong I like this
feature a lot of someone ever tries to login

with username admin it’s good to be an immediate
ban and you shouldn’t have admin or administrator

or Webmaster anything like that is your username
obviously if your username is admin and you

enable this year in a bad spot but I would
go ahead and recommend always making sure

you don’t use that is your username and then
go ahead and enable this that’s how I do it

now here is the database backup feature if
you wanted it to I suggest going ahead and

having a full backup I do have a video on
that doesn’t cost you anything though the

plug into facilitated but if you wanted an
additional resource for backing up just your

database you can do that here I don’t enable
this because I do backups elsewhere so doesn’t

make sense for me to enable that here is file
change detection I do like this but sometimes

it can be annoying if you’re using caching
on your website because it changes files and

that’s normal but what’s nice about this is
this will kind of notify you if someone has

say hacked the server that your Webhost is
on and tries to modify any of the files in

your core WordPress this is can actually send
you email notifications of that size can it

be a good first early indication that some
of us tried to hack into your website and

so I do have this enabled myself and I do
really like the feature and right here we

have file permissions I don’t recommend you
modify any of the settings here in the file

permissions hide back end okay so what this
is going to do is when you want to login you

go to the name of your website/WP-login.php
and this is if you actually want to hi that

and I’m kind of not so sure I like this feature
because there might be other plug-ins you

have on your website that need to look in
those locations so if you enable this and

you hi your login and the back end of WordPress
it could cause some problems now so when you

enable it you could choose the login slug
so won’t be that the WP-login it will be what

you said here and this will be what happens
if someone goes to the wrong location I’m

kind of iffy on this one I would recommend
not enabling it but if you know for sure it’s

not to cause a conflict in anything that you
are using this is guaranteed the best way

to not have any login attempts on your website
because there’s no way of really knowing what

the login URL is because you’ve changed it
okay here’s a network brute force protection

and when I click on it my API key isn’t good
because it knows I’m on the local these in

my websites on my local computer okay is there
some SSL options here let’s take a quick look

at that essentially what this is saying is
it will try to make your website more SSL

friendly security certificate friendly I do
have a video I usually use really simple SSL

for that so I don’t use these options here
here’s the strong password enforcement now

this actually up to you how you want to use
this it could be kind of a pain in the rear

and I know on my website I have normal users
creating accounts and logging in and I want

to make that process really simple and easy
so I tend to stay away from these plug-ins

there are any of these methods to force them
to have capital letters multiple numbers strange

characters and all that because I can personally
I find it a little irritating when some of

those are a little too restrictive having
to reset it up over and over and over so your

some system tweaks let’s enable that intake
a quick look at what it is offering us so

a lot of these I actually have enabled on
my website so protect system files I have

that enabled disabled directory browse and
I am browsing I enabled this as well the request

method suspicious query strings I have that
enabled this one has cause me problems in

the past the filter long URL strings I have
noticed some plug-ins for example a real state

plug-in where it pulls in the real estate
listings and someone clicks on it and generates

a really long URL with this enabled the causes
problems it thinks it suspicious and it unfortunately

will cause a problem with that plug-in so
you do want to be careful with this right

here the file writing permissions your Webhost
already has so set properly you don’t need

to enable anything right here I do disable
PHP and uploads and plug-ins and themes and

so those are good to have so were almost there
we only have a few more these the go so let’s

go through them quick we have some WordPress
tweaks here I do have most of these enabled

myself especially this one right here this
XML RPC there are some vulnerabilities in

here and this is so you can have say maybe
a desktop application push content into your

WordPress website that’s one of the things
that this enables you to do now I keep this

disabled right here I actually have this right
here this is the option that I choose and

it’s also the recommended option here but
what you wanted do is if you enable this and

you notice some app you have isn’t able to
work the way work with work with your website

the way that you think it should go ahead
and leave that one enabled right there I keep

this one on block and let’s see okay so these
are just some other things here I actually

don’t keep those enabled right admin user
let’s take a look at this and this is you

can enable this if you want it’s essentially
gonna make a change in the database it’s pretty

safe to to do this and not have a problem
it’s up to you though it’s not definitely

I may not being a security a deep security
expert and I am my my thought is is this is

an so necessary WordPress salts that’s a pretty
technical thing right here I’ve had to I do

know the times I’ve use this is what I wanted
to force everyone to be logged out of my website

I enabled this save it and it’s going to reset
something in your WP config file that’s can

force everyone to be logged out have to re-log
in at sea change content directly I do not

recommend this do not do this it’s can all
your content basically in a folder called

WP content it will change that to something
different I don’t like changing anything that

deals with the core of WordPress change database
prefix you can do this I have done this myself

I really don’t know how vulnerable your website
is when you have that when you don’t have

this enabled so I can’t really speak to it
however my guess is it’s not super crucial

but you might want to change that prefix your
comfortable looking at your raw data and database

you’ll see what I what that does server config
rules that can be left and this can be left

that’s all automatic and then you have these
settings right here so this is pretty much

securing your website I mean literally if
you installed it and just activated that a

quick set up there and the things that it
activated you to be so ahead of the game but

if you pair this with a good backup solution
were your websites being backed up on a schedule

off site your you’re pretty much bulletproof
you really don’t have a lot to worry about

at all and I’ve been using this plug-in with
fantastic success for a long time and it has

not slowed down my website one bit and like
I said a lot of these things the biggest security

threat is just that brute force hacking and
when there is some form of a widespread vulnerability

on on a WordPress plug-in this is going to
protect you from just about all of that but

you still need that backup sump anyways if
I went over anything to quicker you had any

specific questions about this plug-in I’d
like to encourage you to ask me down below

in the comment section I will have links to
everything in the video description box if

you did purchase the professional version
of iThemes Security do through the link on

my website I’ll be more than happy to give
you access to my full security course WordPress

security essentials thanks for watching

My passion is making the best quality video tutorial online, for non-techies. When I am not behind the camera, I am usually helping out one of my YouTube subscribers.

Join The Conversation

Your email address will not be published. Required fields are marked *

Stay Up To Date

Enter your name and email for the latest news, updates, and tutorials.