How to setup WordPress security using iThemes Security Plugin

How to setup WordPress security using iThemes Security Plugin

Jun 03, 2023


I understand the importance of website security. In this post, we will be discussing how to set up WordPress security using the iThemes Security Plugin. With the increasing number of cyber threats and attacks, it's crucial to take the necessary steps to protect your website and its data. The iThemes Security Plugin is a powerful tool that can help you secure your WordPress site and prevent unauthorized access. In this post, we will guide you through the process of setting up the iThemes Security Plugin and show you how to use its features to enhance your website's security. So, let's get started!


In this lesson, we will discuss iThemes Security WordPress plugin. When comes to the security of your website, it is very important that you should restrict the login attempts so that after certainly failed logins the dashboard access will automatically block. It provides a great security from hackers as hackers try to use different password combination to hack your account. So here we will show we can use iThemes Security Plugin to secure your WordPress.


Most Website owners don’t know they’re vulnerable, but iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, iThemes Security plugin can help harden WordPress. Following are steps to enable iThemes Security in WordPress:


Step (1) – Log in to the dashboard and navigate to Plugins >> Add New.

Step (2) – Install and activate iThemes Security plugin. To know how to Install Plugins in WordPress read our previous lesson.


Step (3) – After activation, you will get a notification. Click on Get Free API key as shown in the screenshot:

Step (4) – A popup opens and enter your e-mail address and click on Save Settings button. Make sure Receive Email Updates checkbox is checked.

Step (5) – You are prompted with dashboard page as shown in the screenshot:

The dashboard page contains a number of options. We are going to discuss each option:

Step (6) Security Check – Ensure that your site is using the recommended features and settings.

  • Step (6.1) – Click on Show Details button from the dashboard.
  • Step (6.2) – A popup opens and clicks on Secure Site button.
  • Step (6.3) – It will do the required settings. Click on the Close button.

Step (7) Global Settings – Configure basic settings that control how iThemes Security functions.

  • Step (7.1) – Click on Configure Settings button from the dashboard.
  • It will show many options which you can change as per your need. The options are:
  • Write to Files – This option allows to write in the .htaccess and wp-config.php file automatically. It should be checked and you can uncheck as per your need.Host Lockout Message – The message to display when a computer (host) has been locked out. You can change as per your need and also use HTML tags inside the box.
  • User Lockout Message – The message to display to a user when their account has been locked out. You can change as per your need and also use HTML tags inside the box.
  • Community Lockout Message – The message to display to a user when their IP has been flagged as bad by the iThemes network. You can change as per your need and also use HTML tags inside the box.
  • Blacklist Repeat Offender – If this box is checked the IP address of the offending computer will be added to the “Ban Users” blacklist after reaching the number of lockouts.
  • Blacklist Threshold – The number of lockouts per IP before the host is banned permanently from this site.
  • Blacklist Lookback Period – How many days should a lockout be remembered to meet the blacklist count above.
  • Lockout Period – For how many minutes the user or host will be banned after failed logins.
  • Lockout White List – You can enter IP addresses which should not be banned after failed logins.
  • Log Type – This will show all logs events. You can choose log of database or file and you can choose both.
  • Days to Keep Database Logs – Days for which the iThemes Security keep the log events of the database. You can set as per your need.
  • Path to Log Files – It shows the path where all log events are saved. You can change as per your need or go with the default setting.
  • Allow Data Tracking – It will track plugins usage if checked.
  • Override Proxy Detection – May result in more accurate IP detection if checked.
  • Hide Security Menu in Admin Bar – Hides security menu from the admin bar.
  • Show Error Codes – It will show error code of each error message if Yes is selected.
  • Step (7.2) – Click on Save Settings button.

Step (8) – Manage and configure email notifications sent by iThemes Security related to various settings modules.

  • Step (8.1) – Click on Configure Settings button from the dashboard.
  • It will show many options which you can change as per your need. The options are:
  • Database Backup – The Database Backup module will send a copy of any backups to the email addresses listed by you.
  • Security Digest – During periods of heavy attack, iThemes Security can generate a LOT of emails. The Security Digest reduces the number of emails sent so you can receive a summary of lockouts and file change detection scans.
  • Site Lockouts – Various modules send emails to notify you when a user or host is locked out of your website.
  • Step (8.2) – Click on Save Settings button.

Step (9) 404 Detection – Click on Enable button to enable 404 detections.

Step (10) Away Mode – Disable access to the WordPress Dashboard on a schedule. Click on Enable button to enable this mode. Later you can configure by clicking on Configure Settings button.

Step (11) Banned Users – Block specific IP addresses and user agents from accessing the site.

Step (12) Database Backups – Create backups of your site’s database. The backups can be created manually and on a schedule.

Step (13) File Change Detection – Monitor the site for unexpected file changes. Click on Enable button and later configure settings as per your need.

Step (14) File Permissions – Lists file and directory permissions of key areas of the site.

  • Step (14.1) – Click on Show Details button.
  • Step (14.2) – It will display all file permissions and their Status. If any warning then you have to change file permission.
  • Step (14.3) – We are going to change file permission of .htaccess file as it is showing permission warning.
  • Step (14.4) – Go to cPanel or FTP and change the file permission to 444 from 644 as suggestions given in the screenshot:
  • Step (14.5) – If you refresh the page, you can see there is no warning in the box as shown in the screenshot:

Step (15) Local Brute Force Protection – Protect your site against attackers that try to randomly guess login details to your site.

Step (16) Network Brute Force Protection – Join a network of sites that reports and protects against bad actors on the internet.

Step (17) SSL – Configure use of SSL to ensure that communications between browsers and the server are secure.

Step (18) Strong Password Enforcement – Force users to use strong passwords as rated by the WordPress password meter.

Step (19) System Tweaks – Advanced settings that improve security by changing the server config for this site.

Step (20) WordPress Salts – Update the secret keys WordPress uses to increase the security of your site.

Step (21) WordPress Tweaks – Advanced settings that improve security by changing default WordPress behavior.