This post contains affiliate links which means if you click on a link and choose to make a purchase I will receive a commission at no additional cost to you. See our disclaimer for more information.
Is your website safe? It is important to take basic security measures to ensure the safety and security of your website. Keep reading to learn more on how to improve website security using the IThemes Security WordPress plugin.
Make sure you Pin it and SAVE this post for later if you don’t have time now.
This post is a part of a series of posts that I have created to help simplify the process of setting up your WordPress site. If you haven’t started a blog yet then I recommend getting started with SiteGround for hosting. You can check out my post on How to Start A Blog which will take you step by step through the process of setting up your blog. It will walk you through the process from the beginning of how to choose a topic for your blog and getting it ready to launch. Make sure you grab a copy of the companion checklist, which includes 100+ steps on how to start a blog.
How to improve your website security
Basic security measures you should take for your website include:
- Change default username from admin
- Create a strong password
- Change default login page URL
Step 1: How to change default admin username in WordPress
Once a user has been created you are unable to change the username. In order to get rid of the admin user you need to add a new user with Administrator privileges that can delete the other admin user profile.
Note: you only need to go through this step if you chose admin as your username when setting up your website.
In the left hand menu click on Users and then select Add New from the top of the page. You can also do this by hovering over Users and select Add New from the submenu.
Create a new username, provide an email address and create a strong password. For the user’s role select administrator from the drop down menu. Log out of the admin account and login to your newly created user account.
Once you log in as the new user, go to Users and delete the admin user.
Related: How to install a plugin in WordPress + 6 essential plugin every WordPress user should install
Step 2: Install IThemes Security Plugin
Go to plugins > Add New and search for IThemes Security plugin and click to Install and activate the plugin.
Once installed you can find the settings for the IThemes Security Plugin in the left hand menu.
Step 3: Configure IThemes Security Plugin settings
Initially you will get a prompt for a Security Check with recommended settings for every website. Click Secure Site and this will enable the recommended settings for you.
After clicking on secure site. IThemes will prompt you to Activate Network Brute Force Protection. Enter your email address to activate it. Network Brute Force Protection will prevent logins from any known IP addresses that have attacked other sites that use IThemes security. To enable Network Brute Force Protection you will provide your email address and select whether you want to receive email updates.
Here is the dashboard of the IThemes Security plugin. The items designated with Blue are the items that were enabled due to the original security check.
In the IThemes Security dashboard you can change the view from Grid or a List. You can view All items, Recommended items, & Advanced items.
In the following image I changed it to list view. You will want to configure the settings of each item. We already completed the security check. Next, click on configure settings for Global settings.
Global Settings:
The following is descriptions of the global setting options.
Write to Files: Make sure you have the checkbox clicked to Allow IThemes Security to write to the specified files.
Notification Email: You can choose to provide an email address where security notifications will be sent to concerning the status of your website.
Send Digest Email: If you provided an email address you can choose to have a digest email sent to limit the email notifications to once per day.
Backup Delivery Email: Can provide an email address in which all database backups will be sent to.
Host/User/Community Lockout Message: Can customize the message that you want displayed when a host, user or a particular IP address has been locked out.
Blacklist Repeat Offender: Click to enable the blacklist repeat offender feature, which when checked the IP address will be added to the database of banned users blacklist.
Blacklist Threshold: Specify how many number of lockouts a particular IP address is allowed before being banned permanently.
Blacklist Look back Period: Specify how many days a lockout should be remembered in order to meet the threshold requirement.
Lockout Period: How long a host or user will be banned from the site after the reach the limit of login attempts.
Lockout White List: It is recommended to add your own IP address to the whitelist to ensure that you will never be locked out from your website. Click the blue button to add your IP address.
Email Lockout Notifications: Click to enable if you want to receive an email notification when someone has been locked out of the system.
Log Type: IThemes Security plugin will keep a log of events. You can specify whether you want it to be Database only, which is recommended for most users and smaller sites or File Only.
Days to Keep Database Logs: Can specify the number of days database logs should be kept.
Path to Log Files: Can specify a particular pathway where the files will be stored.
Allow Data Tracking: Enable to allow Ithemes to track plugin usage.
All other general settings not addressed here can be left at default. Make sure you click to save settings.
Configure Settings for Banned Users:
Click to Enable Blacklist feature. This will prevent attacks from hosts/users that have already been deemed as a previous threat.
Configure settings for Database backup:
Within the IThemes security plugin you have the option to create a database backup of your website. I recommend using a separate plugin dedicated to backing up your website. Check out my tutorial on how to backup your website to dropbox using Updraft Plus.
Configure Settings for Local Brute Force Protection:
In this section you can specify number of max login attempts for user/host before being locked out.
Since you have deleted the admin user account and you know better to not use admin as a username. Select the box to automatically ban anyone trying to use the “admin” username to login.
Configure settings for Strong Password Enforcement:
This setting allows you to force users to use strong passwords. You can select the minimum role at which a user must choose a strong password.
Configure WordPress Tweaks:
The only setting you need to change is for the File Editor: Uncheck to Disable File editor. By default this is checked, but I don’t recommend it because it hides the file editor from your WordPress dashboard.
Generally you do not need to do anything with your file editor, but I think it is still important to be able to access it. When I first installed this plugin I didn’t realize this plugin hid the editor by default and I went looking for it one day and it wasn’t there. It took a lot of time to figure out that IThemes was the cause, but it is easily fixed by unchecking this setting. You can access your file editor by going to Appearance in the left hand menu and click on editor from the submenu.
The editor page gives you access to all of your files. As seen in the image below currently it displays my themes CSS stylesheet. On the right hand side you can select the file you want to view and edit. It is recommended to not edit these files directly, but I think it is important to still be able to access this feature in case you need to.
Next, go to the Advanced settings tab and select Configure settings for Hide Backend.
Click to enable hide back end features and click save settings. Once you do additional options will show up. You will want to change the login slug. By default for every WordPress site the login page slug is wp-login. I recommend changing the login slug to something else.
Disclaimer: when setting up a website it is a good idea to use a coming soon page plugin, while you are setting up your website. I mention this here now because the plugin that I recommend requires you to leave the word “login” somewhere within this slug because it lets this page be found while not letting your other pages be found while your site is in maintenance/coming soon mode.
After changing the Login Slug you will be given a prompt that your URL has been changed and that a reminder email has been sent to the email address provided in global settings.
Recap:
Using IThemes Security plugin will help to improve your website security. IThemes Security plugin is one of my six recommended plugins that every WordPress user should have for their website. Learn more about the other 5 necessary WordPress plugins you should install on your WordPress site to help with backing up your site, analytics, speed and controlling comment spam.
Don’t forget to download the How to Start A Blog Checklist and checkout the full series on how to start your blog.
Make sure you Pin and SAVE this post for later!