Setting up iThemes Security

Setting up iThemes Security

Adding iThemes to your site is a great way to add basic security measures and reduce the risk of automated attacks crippling your website. Here we'll run through the steps to set up a basic installation.

1) Install iThemes Security Pro - while in the plugins section click 'License' under iThemes Security Pro and sign in to the account that was used to purchased the license, then navigate to Security > Settings, then click the 'All' filter at the top of the screen to begin setup

2) Temporarily whitelist your IP to prevent lockout

3) Global Settings:

1. Allow Write to Files
2. Add your emails as the Notification Email
3. Skip over Send Digest Email and Backup Delivery Email
4. Set Host Lockout Message to "Your IP has been blocked due to too many 404 errors"
5. Skip over User Lockout Message and Community Lockout Message
6. Enable Blacklist Repeat Offender
7. Blacklist Threshold should be 5 Lockouts
8. Blacklist Lookback Period should be 3 days
9. Lockout Period should be 15 minutes
10. Add your current IP to Whitelist to avoid ever being banned
11. Skip the rest of Global Settings
12. Save settings

4) 404 Detection:

1. Enable 404 detections
2. Minutes to Remember 404 Error (Check Period) should be 5 minutes
3. Error Threshold should be 10
4. Skip the Rest of 404 Detection
5. Save settings

5) Away Mode - Skip enitrely

6) Ban Users:

1. Enable the Default Blacklist
2. Enable Ban Users
3. Skip the rest of Ban Users
4. Save settings

7) Brute Force Protection:

1. Get iThemes Brute Force Protection API Key
2. Enable iThemes Brute Force Network Protection
3. Enable local brute force protection
4. Max Login Attempts Per Host should be 5 Attempts
5. Max Login Attempts Per User should be 10 Attempts
6. Minutes to Remember Bad Login (check period) should be 5 Minutes
7. Check Automatically ban "admin" user
8. Save settings

8) Database Backups - Skip entirely

9) File Change Detection:

1. Enable File Change Detection
2. Split File Scanning into chunks
3. Enable Email File Change Notifications
4. Enable Display File Change Admin Warning
5. Enable Compare Files Online
6. Save settings

10) Hide Login Area:

1. Enable Hide Backend
2. Login Slug should be changed from the suggested wplogin to a unique one
3. Enable Theme Compatibility
4. Theme Compatibility Slug should be not_found
5. Save settings

11) Malware Scanning:

1. Enable Send email notifications when an issue is found
2. Select Administrative users that receive motification emails
3. Save settings

12) Secure Socket Layers (SSL) - Skip entirely

13) Strong Password:

1. Enable Strong Passwords
2. Select Role for Strong Passwords should be Subscriber
3. Select Refuse Compromised Passwords and minimum role Subscriber.
4. Save settings

14) System Tweaks:

1. Enable System Files protection
2. Disable Directory Browsing
3. Enable Filter Request Methods
4. Enable Filter Suspicious Query Strings in URL
5. Enable Filter Non-English Characters
6. Enable Filter Long URL Strings (Only disable if it creates interferance with other plugins such as S2 Member)
7. Enable Remove File Writting Permissions
8. Enable Disable PHP in uploads
9. Skip disable PHP in plugins, and disable PHP in themes
10. Save settings

15) WordPress Tweaks:

1. Remove Windows Live Writer Header and EditURI Header
2. Remove the RSD (Really Simple Discovery) header
3. Enable Comment Spam reduction
4. Disable File Editor
5. Set XML-RPC to Disable XML-RPC (recommended)
6. Set Multiple Authentication Attempts per XML-RPC Request to Block (recommended)
7. Restrict access to Rest API
8. Enable Replace jQuery With a Safe Version
9. Disable Login Error Messages
10. Enable Force Unique Nickname
11. Disable Extra User Archives
12. Enable Protect against tabnapping
13. Save settings

16) WordPress Salts:

1. Enable, and click Change WordPress Salts
2. Save settings

(Note: WordPress salts should only be changed when first setting up a site, or after cleaning up, or restoring a site that has been compromised with malware.)

17) Change Database Table Prefix:

1. It is important that you create a database backup before changing the table prefix in the event that something goes wrong
2. Under Change Prefix, select 'Yes' from the dropdown menu
3. Save settings

(Note: Database Table Prefix should only be changed when first setting up a site, or after cleaning up, or restoring a site that has been compromised with malware.)

18) reCAPTCHA: (note: disable for login only if users are having issues logging in)

1. Click "Google reCAPTCHA" link and add site's URL to your reCAPTCHA account, you don't have an account, log in with your Google account and create one
2. Copy Site Key from google and paste it into the respect field in iThemes
3. Copy Secret Key from google and paste it into the respect field in iThemes
4. Enable Use reCAPTCHA for user login
5. Enable Use reCAPTCHA for user registration
6. Enable Use reCAPTCHA for new comments
7. Leave the rest as default
8. Save settings

19) Bonus: Two-Factor Authentication (For added layer of security, but not necessary for most sites as it adds unnecessary burden to the login process)

1. Under Authentication Methods Available to Users select "All Methods" from the drop-down
2. Check all boxes under Select Available Methods
3. Under Select Roles to Protect check all roles you'd like to protect, at minimum select Administrator
4. Leave the rest as default
5. Save settings

The Latest iThemes updates

Notifications and other features have been added to iThemes, so please update the following items

20) Notifications: The main section for all notifications for selected options above.

1. Leave the From Email text field alone. It will pull in the admin email as the main notifications email.
2. Select only main (AWD) emails as the default receipents
3. The only main features that you want checked and to have notifications sent out, and that you have enabled, are Malware Scan Results, Hide Backend, and 2-factor Authentication.

You're all set!