As you probably already know, one of the security plugins that I recommend the most is iThemes Security, formerly known as Better WP Security (honestly, I thought it was a better name, I do not know why they changed it), and it is a complete suite of security tools that covers the needs of any professional website, and I’m talking about the free version.
There are other similar security plugins, but most do not offer as many security tools or as good in its free version.
It has many virtues but let’s see how to configure it correctly, which is the best way to know what this WordPress security plugin is for and how it does it.
Table of Contents
Of course, it installs like any other WordPress plugin, it’s always highlighted in the popular plugins of your WordPress plugin installer, as it has more than a million active installations, and is always updated.
As soon as you install and activate it, go to the new menu called Security, where for the moment you will only find, and nothing less than, its configuration wizard.
Before version 8.0 there was no configuration wizard, just some basic initial settings, but since this version, the plugin has received a complete redesign, in which the wizard is absolutely essential, as it makes it easy for you to configure all the security settings of your site in a simple way.
If you don’t run the wizard then you would have to dig through different sections of the plugin settings to find the security settings, and in no logical order.
So in this case the configuration wizard is not something optional, but practically essential for a good plugin configuration.
It is possible to find the wizard settings again, but I assure you that you will have trouble finding some, despite the search engine that has the plugin, and in fact some settings will not be available because they require some module to be active that was not activated in the wizard.
That said, let’s go through the different steps of the iThemes Security configuration wizard.
Type of site
This wizard proposes to make a series of quick adjustments depending on the type of website: e-commerce, network of sites, non-profit organization website, blog, portfolio or brochure.
You can skip this configuration wizard, but as a start, I recommend using one of the web type templates, as it will save you a few settings, but then you can always access all the other settings, no matter what you choose in this wizard.
Own site or client site
No matter what type of site you choose, the next step of the wizard will ask you if you are configuring the site for yourself or for a client, and this step is important, because if you choose for the client, you will be asked if you want to configure the security settings, among other things.
And, if you listened to me, and it is a site for a client, the next step asks you to select which users are assigned to your client, grouping them together to make it easier to manage their permissions later on.
Profiles with permissions to manage security
The next step, which would be the first if you chose before that it was your own site, is to specify which users will be able to manage all the plugin settings, being your user active by default.
Will customers be able to configure security or not?
Next, if it is a client site, the wizard will ask you if you will allow them to manage the plugin settings. My advice is that if you are going to take care of the maintenance of the website do not allow it, and if you will deliver the website to them after your work you should activate it.
Client user profiles
In the next step, you must select in which WordPress user profiles are the users of your clients.
On the next screen, we enter already in security because you must choose if you want to force strong passwords to users. My advice is that yes, you should activate it, because it increases the WordPress password requirements.
2-factor Authentication, brute force attacks and Pro Security
With this step we fully enter the security features.
It consists of 3 steps in which you must decide on the security on the login screen, namely whether to enable two-factor protection, whether to apply a blocking policy against attacks, and finally if you want to enable additional security (Pro) by detecting the server configuration and IPs, to add rules to protect you from attacks.
My advice is to activate everything.
In particular, the two-factor identification is the best access security, as it requires double verification and 3 pieces of information:
- Your username or email
- Your password
- Verification on a mobile device or by email of a one-time use code.
Once you activate the 2-factor identification each user in their profile will be able to review the QR code to activate the application, the secret key and the authentication codes.
In the case of authentication codes, write them down, because it will only show them once.
As for the protection against brute force attacks, I think there is nothing more to say, activate it yes or yes.
Finally, the Pro security checks does not mean that you have to pay for the paid version of the plugin, but by activating them you add an additional protection tool based on your server configuration that you can then run.
Having seen the main security features, we come to the configuration of user groups.
The most advisable thing to do, especially if you have already configured the client group or similar, is to use the default groups, otherwise you will have to create them and assign security settings to them.
But no matter what you select, in the next screen, you have the possibility to configure each group, either the already created ones or the customized ones you generate.
In the configuration screen my recommended settings for clients would be this:
- Manage iThemes Security – Disabled (if you are going to manage the website yourself, otherwise enabled).
- Enable dashboard creation – Disabled (it is an unnecessary interface customization)
- Strong passwords – Enabled
- Refuse compromised passwords – Enabled (system to check if user’s emails are on lists of compromised emails in security breaches on other websites – highly recommended)
- Skip two-factor onboarding – Disabled (makes it easier to set up 2-step authentication)
- Application passwords – Enabled (more secure method of access included in WordPress).
The option to reject passwords compromised in known security breaches is especially powerful, and will prevent a user from using passwords that are known to have been compromised in attacks on other websites.
Continuing with the settings according to the user group, if we talk about the recommended settings for the administrator who manages the security and configures the plugin, the settings would be these others:
- Manage iThemes Security – Enabled.
- Enable dashboard creation – Enabled
- Strong passwords – Enabled
- Refuse compromised passwords – Enabled
- Skip two-factor onboarding – Disabled
- Application Passwords – Enabled
Which would be as you see in this other screen, the next screen in the iThemes Security setup wizard:
Then the wizard will ask you to configure these settings for each of the other existing user profiles in your WordPress installation, and my advice is to apply the same settings as for the client group, unless you want to allow some additional settings to a profile, for example to editors. It’s up to you.
And with this, we have finished the configuration of groups.
At this point, we arrive at the global security settings, in whose first screen we will have the recommendation to accept the configuration made by the plugin based on what we have already configured previously, so we do it.
But don’t hurry, we will be able to review these settings in the following screens.
Authorization and detection of IPs and servers
In the first one we can add our current IP to be included in the whitelist, as well as any other IP needed for the proper functioning of our website, for example from CloudFlare or payment gateways.
What I do recommend is to change the IP detection method to security check scan, which is the most effective.
Network Brute force
On the next screen you can choose with which email address you join the network of sites with active iThemes Security, so you can take advantage of the shared knowledge of other websites when it comes to automatically block IPs or servers, and incidentally, you can also activate the security newsletter (the latter I do not recommend, in security you have to be up to date, not a week).
It is highly recommended to join this system by putting your email address because in case the network of sites with iThemes Security detects brute force attacks from certain IPs or servers, your website will take advantage of this shared knowledge and block the attackers detected on other sites.
In the next screen you have to (obligatorily) set a default e-mail address for the notifications, and determine to whom they will be sent.
It is important that you activate them, as they will alert you of important information. You can even configure which ones you want to be notified in addition to sending e-mails with the most relevant events.
And with this we are reaching the end of the wizard.
In the last screen of the wizard you just have to confirm, and review if you want, which security settings will be applied according to the decisions you have made in the wizard.
If you are convinced, simply click on the “Secure Site” button and then on the “Finish” button.
When you finish, this nice screen will appear, from which you can go to the iThemes Security dashboard or settings.
Tip: At any time during the wizard you can review settings from previous screens by clicking on the corresponding section on the left side.
The security desk
In case you decide to go to the iThemes Security desktop you will find a series of cards with different warnings and statistics, depending on the modules you have active.
These cards can be dragged and moved to change them to your liking.
Also, from the link at the top you can add or hide the cards you want.
But not only that, from the desktop you have some buttons, such as the one to perform site scans.
Or quick database backups.
If at any time you want to review the security settings made during the wizard, or if you skipped the wizard, you can access the security settings from the link at the top of the dashboard or from the plugin’s security menu.
You will arrive at a screen where you will find the same settings and configurations that we have already seen in the configuration wizard and some more, being able to modify them if you decide to make any changes, add a user group, etc.
There’s a lot to configure, so let’s go through all the settings…
Access security – 2-factor authentication
This section is especially important, as we are going to reinforce the WordPress administration gateway. And this is where it is advisable to activate the 2-factor authentication, or double verification. Just enable it and then click on the icon for the tool settings.
In the next screen you have 2 important settings, such as the choice of 2-factor verification methods, and whether you want to disable it on the first login.
The 2-step verification methods available(if you don’t choose the “all methods” recommended setting) are:
- Mobile app – The user will have to install an app on their mobile, such as Google Authenticator or Authy, and in order to access the website, in addition to their username and password, they will have to add a one-time use code with timer from the chosen app.
- Email – After entering username and password the user will need to add a code that will be emailed to them.
- Backup authentication codes – This is a safeguard in case you lose your phone, email access, or uninstall the mobile application, and consists of a series of single-use codes, which you can use if any of the above methods fail.
Here choose the method you prefer, but always make sure that the backup identification codes are active, in case of errors.
Regarding the configuration flow, you could disable the first login but I do not recommend it, it is always a help for users, and you can customize the text as needed.
To finish with this part, and it is something you should do in every iThemes Security setting you modify, notice that at the top of the settings there is a link to the user groups, so I recommend you click to review settings for this security feature in each user group, as there are additional settings, which you can customize in each group.
This is a constant in several steps of the plugin configuration, so whenever you are configuring something, after saving the main settings, see if there is a need to click to configure additional settings in the user groups.
Furthermore, these specific settings for user groups you have no other way to access them, you must go through the login security feature to do so.
On the next screen of this feature’s settings for user groups you will see 2 additional settings to review for each user group listed in the left sidebar, in case you would like to change them.
The settings, and my recommendation, are these:
- Skip the two-factor onboarding – Disabled – It’s best to always explain to all users a bit about the 2-factor identification process.
- App Passwords – Enable – A verification method without compromising your password.
This security tool is vital to protect your website so my advice is to activate the 3 components of the module:
- Ban users – Enable – To be able to block IP addresses and user types.
- Local brute force – Enable – Protect your website against criminals trying to access your website through brute force attacks.
- Network Brute Force – Enable – As I explained before, you join the iThemes Security global network and take advantage of blocking settings in case of massive attacks.
Once you activate all 3 tools click on the wheel icon above any of them or in the Features → Lockouts section of the left sidebar, whichever you prefer, to configure the settings for each tool in this module.
In the ban user settings enable the default list, which will add to your
.htaccess file a number of bans on known attacking IPs and user agents.
In addition, enable the ban list, and add any user agents, such as bots and fake browsers, that you detect on your site over time.
Local brute force
In these settings I recommend you to enable the “admin” user ban, a historical vulnerability of old WordPress installations, where always the first user is named so.
In addition, you can configure the number of login attempts:
- Per host – How many times the same server/computer/IP can attempt incorrect logins before it enters the block list.
- Per user – Maximum number of attempts per username before blocking.
The last setting is to specify how long users and/or servers will be blocked after failed attempts.
The default amounts are correct, leave them as is unless special needs.
Network brute force
In this screen simply put the main email to be activated if it was not already activated from the plugin configuration wizard.
What I do not recommend is to activate the news by email, it is a weekly email that does not add anything.
This module, inactive by default, you should always have it active. So the plugin will alert you when there are changes in files, sometimes due to hacks, and so you can be aware, and inform your users, of security breaches.
It is a system of detection of changes in files, essential to be able to check if our website is compromised because it has been modified without our knowledge.
Once activated go to the tool settings by clicking on the “Gear” icon on the screen or from the left side menu Features → Site Check.
This screen is something special. First you have a browser through your web files, and on the right a list of files and folders you want to exclude from browsing.
To exclude a folder or file you have to select it and then click the bottom select button, and its path will be added to the list on the right.
Finally, you can also exclude files with the extensions you add to the file type box from the check.
Finally, we have a series of additional utilities, which I already anticipate that most of them are not very useful, or not to the extent offered by iThemes Security.
In short, this is my recommendation:
- Enforce SSL – Disable – If you don’t have another SSL forcing system it may work, but even WordPress has this tool, and if you want to control more aspects of SSL forcing I recommend you better use SG Optimizer from SiteGround, or the Redirection plugin.
- Database backups – Disable – Very limited, only allows to save copies locally or send them by email. Better use a good backup system plugin for WordPress.
- Pro security checks – Enable – As I explained in the section of this guide about the configuration wizard, it is interesting to enable it, because it adds additional checks based on the configuration of your server.
iThemes Security Tools
From the settings screen you can access, from a link on the bottom left (yes, it’s a bit hidden), to the iThemes Security tools.
By deploying each of the tools you will be able to configure very important settings for the security of your website.
Identify server IPs
Click on the “Run” button so that iThemes Security identifies your server’s IP and, based on it, avoids unintentional blocking and other errors.
Change the user with ID 1
This is a basic WordPress security vulnerability, whereby the first user, the administrator who does the installation, by default receives ID 1 in the database, and this can be exploited by hackers.
Run this tool to change the ID of this user automatically.
Warning: If you limited the iThemes Security settings to your admin user you could lose access permissions to the theme settings, so before making this change make sure that any admin user can manage iThemes Security in the user group settings.
Change the database prefix
Another basic security tip is to never use the default WordPress table prefix
wp_, and in this module, you can easily change it.
Always backup the database before but it is quite safe to change it.
wp-config.php file or the database is write-protected the change is automatic and painless.
Check file permissions
This tool simply reads the write permissions of folders and files in your WordPress installation, so that you can take action if necessary in the System Settings module that we will see later.
So click the button to check the current status, if there are any warnings then we will fix them.
Server configuration rules
This tool can show you 3 possible states:
- That there are no rules to write.
- That there are rules to write.
- Display of the rules written in the
This tool mainly serves to display the rules applied by iThemes Security in the
.htaccess file to protect your website, based on the configuration and settings you have activated.
Most of these rules are configured in the system settings, which we will see later.
Same as the previous tool, but in this case applicable to rules that the plugin adds to the WordPress configuration file,
Again it is a viewer and little else, these rules are applied from the WordPress settings of the plugin, which we will also see below.
Change WordPress SALTs
This tool allows you to instantly change the SALTs in the WordPress
wp-config.php file, with the result that all logged-in users (including you) are forced to disconnect.
Useful when you suspect that there have been unwanted logins and you need to kick everyone out to apply some temporary restriction (such as Sleep Mode).
Pro security checks
If you activated this tool in the iThemes Security features (modules) here you can run it, applying relevant settings for the security of your website, as well as tips to improve it.
Advanced security settings
Another almost hidden, but very important feature is the advanced settings of iThemes Security.
To access these settings you have a link on the plugin settings page.
There are 3 sections in these settings:
- System tweaks – Settings to increase security by restricting file access and PHP execution on your server, to reduce vulnerabilities in file uploads, especially.
- WordPress tweaks – Here you can improve security by removing the ability to edit files from the WordPress desktop, and limiting how APIs and users access your website.
- Hide backend – Not the ideal security method for WordPress access but it will take away a lot of brute force attack attempts on the usual URLs from which to access the WordPress administration.
Interesting, isn’t it? Let’s take a look at each section in detail…
This module has all its settings inactive by default, and you are late to activate them because there are very important settings to secure WordPress that you must activate yes or yes.
Here is a summary of what you should activate or not and why:
- File access
- Protect system files – Active: Protect system files using
- Disable directory browsing – Active: This is a basic security rule that almost all hosting currently have but just in case activate it.
- Protect system files – Active: Protect system files using
- PHP execution
- Disable PHP on uploads / plugins / themes – Active : Add an
.htaccessfile to the plugins, themes and uploads folders (where the images and documents you upload are hosted) so that PHP cannot be executed from them. And yes, plugins and themes still work (I get asked this a lot).
- Disable PHP on uploads / plugins / themes – Active : Add an
So, put it as in the following screenshot and save the changes:
Here is another module that is important for you to review to strengthen the security of WordPress, especially since all of its settings are configured insecure by default.
My secure configuration recommendation for this module is as follows:
- Disable File Editor – Disable: Disables the WordPress internal editor for plugins and themes, plus the file editor for Yoast SEO and other plugins. It does not disable the additional CSS of the customizer. It is common for hackers to first gain access and then try to escalate permissions to use these editors to inject code.
- API Access
- XML-RPC – XML-RPC disabled : If you don’t use the WordPress mobile app, JetPack or pingbacks (the recommended setting) you would do well to disable this old WordPress vulnerability.
- Multiple authentication attempts per XML-RPC request – Disable: Even if you have XML-RPC enabled always disable this.
- REST API – Restricted Access: Even if any application uses the REST API, restrict access to require a logged in user.
- Login with email address or username – Only email address: Although WordPress allows access with the user or email it is safer to allow it only with the email, it always has special characters and they are longer than the name.
- Force unique alias – Enable: Avoid using the username as alias and thus not give clues to hackers.
- Disable extra user archives – Disable: If an author has no published articles it does not generate his author files so as not to give clues to hackers.
Again, my recommended configuration for better security is like the one in this screenshot:
Anyway, if any application stops working because it needs more access to the API, or there are users who are not happy with having to access in a different way, you can change some settings as needed, but always knowing the security connotations that I explained before.
This tool is used to hide the access via
wp-admin, changing the default address to access WordPress for one of your choices.
Although the best tool for securing access is 2-factor login, this adds up, saving you a good amount of brute force automated login attempts, and adds a layer of customization to your site in the process.
Simply enable it and choose the login and registration slugs (URLs) you want instead of the default WordPress ones.
You can also enable a custom redirect for users/bots trying to access via the usual WordPress URLs. You can put a full URL or a slug of your website.
The custom login action should only be added if a plugin requires it.
Configure – Global security settings
One section that remains half-configured no matter how much we go through all the settings and even the wizard is the security settings in the configuration section, and you should not miss to check them, as there are some really important security settings.
Let’s review the recommended configuration in each setting…
- Write to files – Enable – It is essential that you allow iThemes Security to be able to add rules to WordPress configuration files (.htaccess and wp-config.php), otherwise most of your settings and configurations will have no effect.
- Lockout minutes – Time during which any user will not be able to log in after several failed attempts – Recommended: No less than 5 minutes.
- Days to remember locks – How many days the plugin remembers a locked user/server and will not allow him/her to login – Recommended: Minimum 1 day.
- Ban repeat offender – Enable – Whether the plugin should add an IP to the block list after exceeding a recidivism threshold.
- Ban threshold – Recommended maximum of 3.
- Lockout messages – Here you can customize the messages that users will see when the plugin blocks their access when it fails – Recommended: Explain each case well, to help normal users, bots and hackers won’t even read the messages.
- Authorized hosts
- Automatically authorize hosts temporarily – Enable – Add a list of IP addresses that you want to authorize so that the plugin does not block them by mistake. Good examples are your own IP or those of services that require it.
- How logs should be saved – Here we configure where to store iThemes Security activity logs – Recommended: Database only.
- Days to store logs in the database – Try not to store them too many days or your database will grow too big – Recommended: 15 days maximum.
- IP detection – Here you choose the method the plugin will use for IP detection – Recommended: Security check scan.
- UI tweaks
- Hide security menu in admin bar – By default there is a security menu in the admin menu bar, mostly unnecessary, except if you disable email alerts for file changes. Recommended: Enable to hide it.
- Enable grade report – Enable – When enabled you will be able to see a kind of security assessment of your site in the security dashboard.
In case you have any doubts, here is a screenshot with the recommended configurations of these global settings, with the ones missing from the screenshot above.
The alert center
Although at the beginning we already configured the basic setting for alerts, as you go activating modules and configuring settings new options are created for alerts, both the administrator and users, so it is advisable that, when you finish configuring the plugin, you go through the alert center and review it, because there will certainly be interesting settings to configure.
The first thing, as soon as you log in, is the possibility of changing the email address of the email notifications of incidents and various threats.
If you do not put anything, if you leave it blank, the administration one will be used, unless you want to put another one, a false one for example, so that they do not answer.
Next you must decide who will receive the security warnings, and I recommend that you limit it to the administrators, or much better to the one who really knows how to deal with this type of security warnings, usually the technical or maintenance manager of the web, or failing that, you, if you are the administrator.
Save the changes and let’s review what else we can configure in the notification center.
The next thing is if we want to receive alerts when a user or IP is blocked, and my advice is not to activate it, there can be many emails that are received and, in this as in everything, many alerts end up being just as useful as no warning, because you end up not paying attention to them.
Different is the case of warnings in case of file changes, which is usually so relevant to security that my advice is to activate them.
You may receive an email after updating a plugin or WordPress itself, but it is not as frequent as with lockouts, and it is always a good idea to check for file changes.
File change notification emails will take you to a log of the files that have changed.
And you can also check them later in the plugin’s logs.
Finally, we finish with the configuration of the messages that will arrive to the users to activate and confirm the two-factor authentication by e-mail.
The important thing here is that the messages are clear, easily understood by the user, in order to complete the verification process at login.
In addition to the above free modules, you can also access paid modules from $48 per year, these are the most interesting ones:
- Trusted devices.
- Summary of updates.
- Security profiles per user, as well as per group.
- Premium custom support.
Is iThemes Security the best security plugin for WordPress?
Although there are tastes for everything, I usually recommend iThemes Security because …
- It explains everything very well, with lots of text to know what you are doing and why
- It has all the essentials
- It offers free security tools that in other plugins you have to pay for.
- What it does, it does it well
- It is easy to configure (now more with this guide)