Weekend Project: Basic security with iThemes Security plugin

Secure your WordPress website banner

Last time I checked, WordPress websites power over 30% of the top 1-million websites in the world. That’s a LOT. The downside of this is that the popularity of WordPress makes it a big target for hackers, because they know that there’s a lot of potential targets. Some basic website security will help you strengthen your site’s defenses against common attacks.

You don’t have to be a computer engineer to enable basic website security – there’s a plugin for that. There are actually several plugins for that, but my preferred is the iThemes Security plugin, which is available for free in the WordPress plugin repository.

iThemes Security plugin info as seen in WordPress plugin repository

Before you make any changes to your website, I always recommend that you perform a complete website backup before you get started. If you’re not sure how to backup your site, check out this blog post.

When you install and activate iThemes Security plugin, you’ll need to go to the Settings page for it to get started. Look for the Security menu item on the left side, and then Settings under that. When you first install the iThemes Security plugin you will be offered some quick settings to enable basic website security. These settings will give you a solid base for securing your website even if you do nothing else beyond this.

iThemes Security plugin security check settings

Of course, I recommend a few other settings as well. When you’ve completed the basic website security settings, go to the Settings page again for more options and try out the things below:

  • Whitelist your IP Address – Since most of the visitor banning that this plugin (and others) does is based on the visitors IP address, you want you be sure that your IP address is white-listed so that you can’t be locked out, even accidentally. To do this, go to the Global Settings option and select Configure Options. Then scroll down until you see the option for “Lockout White List” and click the blue button white-list your current IP address. When you click the button, your IP address should be added to the box immediately above it. Then just hit the Save Settings button and you’re all set.
  • Enable 404 Detection – This will track the IP address of site visitors that repeatedly go to pages/files that don’t exist on your site. Hackers will often use this method to find files that have known security issues that they can try to exploit. By blocking the IP address of a user tying to access these, it prevents them from continuing to try until they find one that they can exploit. The standard settings give any given IP address 5 attempts to try to access a non-existent file before locking them out, but you can up that if you think your visitors are likely to hit a snag often. (Try running a broken link check before you enable this to ensure you don’t have a lot of broken links that are generating 404 errors before you block out a bunch of your visitors accidentally.
  • Enable File Change Detection – This will compare your files and let you know if they’ve been changed. While it can be annoying to get the file change notifications when you update your WordPress core files and themes and plugins, it’s really good to get the notification if a file is changed when you didn’t run an update, which can be a sure sign that someone else is changing your files. Note that some backup and caching plugins make file changes and those are usually okay, but you’ll get to know which files are commonly updated, and which should make you suspicious.

All in all, this should only take about 20-30 minutes to complete, and then you can feel more secure in your website’s security. Remember though that no website is completely hack-proof, and it’s still important to perform regular backups of your site and to keep your site updated.

Leave a Comment