There are lots and lots of security plugins to choose from for WordPress users. iThemes Security (formerly was called Better WP Security) has been serving WordPress sites since 2008. I used to use this plugin many years ago when it was known as Better WP Security. This plugin is considered by many to be the #1 WordPress security plugin on the market.
Site protection is no concern to most until it is too late. I have clients all the time that are not interested in setting up a WordPress security plugin because they don’t understand the risk. However, statistics show that 90% of you reading this right now, were recently affected, or have been in the past. With an excess of 30,000 cyber attacks a day, mostly targeting small businesses and websites, site protection is a requirement in today’s digital world.
This video gives you a brief overview of the entire process and points out additional features:
A list of the 30+ points of security that the iThemes Security plugin covers:
1. Delete meta generator tag from WordPress.
2. Instead of using wp-admin for login, you use a different URL.
3. Disable login (away mode) for a specified amount of time.
4. When users log in that is not authorized you can disable the plugin and theme updates.
5. Removes within the header the Windows Live Write information
6. Removes RSD information within header
7. Rename the admin account
8. Changes user ID 1 ID
9. Changes database table prefix in WordPress
10. Changes the content path within WordPress
11. Removes error messages in login
12. For nonadministrative users anywhere version is used there is a random version number displayed
13. Instantly scan your site for detailed vulnerabilities and one click fixes
14. Block bots and hosts that are problematic
15. Block user agents that are problematic
16. Prevent brute force attacks by blocking invalid login attempts from a user or host
17. Strengthen server security
18. Enforce stronger account passwords
19. Forces admin page SSL on supporting hosting providers and service
20. Forces page or post SSL on supporting hosting providers and service
21. Turn off WordPress file editing in the Admin
22. Detect and block numerous attacks to your filesystem and database
23. Detect bots and other attempts to search for vulnerabilities
24. Monitor filesystem for unauthorized changes
25. Create and email database backups on a customizable schedule
26. Make it easier for users to log into a site by giving them log in and admin URLs that make more sense to someone not accustomed to WordPress
27. Detect hidden 404 errors on your site that can affect your SEO such as bad links, missing images, etc.
28. Works on single site and multi-site installations
29. Apache, LiteSpeed, and NGINX compatible (NGINX will require manual editing)
30. Sets the existing jQuery version to the safer default WordPress version
31. Disable Upload PHP execution
32. Enabling unique user names and logins decreases the ability to scrape Author information.
33. Only lists users with a minimum of 1 post. Decreasing the ability to scrape non-contributing users.
With recently added features such as “Brute Force Protection” Your sites protection is taken a step further by using the network of all iTheme Security users. Brute force Protection takes the IP details of an attacker from one site, and blocks them from every site enrolled in this service stopping cyber attacks cold for ALL iThemes Security users.
Setup and installation are pretty straightforward. If at any time you get sidetracked in the install process you can simply pick up where you left off by finding the iThemes Security plugin controls in the WordPress Dashboard as seen to the left.
Once you have “Activated” the plugin your screen will display “Step #1” you will want to click on the “Get Free API Key” button to enable the Brute Force Protection” function of the plugin. Clicking on the “Secure Your Site Now” button will move you onto step #2.
There are four more steps from here that will activate all of the features of the plugin. Making a back-up, Setting write permissions, setting the plugin to default protection setting ( suggested ) and finally allowing access to your plugin for better support and issue identification. ( suggested, but not required )
Next, I would say the most important step in the entire setup process. You will want to go ahead and set up for the temporary 24 hours WhiteList for your IP. If for any reason you DO NOT do this, and you stumble with the new login process, you will essentially be locked out of your website. Would be like getting a new home alarm system and you walk in the door… 30 seconds later it begins to blare because you forgot your passcode. We all would blame the alarm, but it is just doing its job.
In the image below you will see the button to press to save yourself from any personal embarrassment from the iThemes Security plugin from actually doing its job.
The final steps, all 36 of them is to go through and make all of the needed changes to your current WordPress settings within the iThemes Security plugin. The panel shown below shows how each step is very simple and what is changing is explained clearly. The plugin categorizes them in high, medium, and low priority. Make sure you at least pay attention to the “high priority” settings. Do make sure you backup your MySQL databases first, though.
iThemes does allow you to purchase a pro version of the plugin. So far I have just talked about the free version features. But, here are some of the features that the paid version has.
- User tracking.
- Google Authenticator or Authy. It sends a message to your cell phone when someone logs in and logs out.
- Import and export your settings.
- Scan your website automatically.
- Adjust your password with an expiration date.
- Generate stronger passwords.
- You can ban people right from your WordPress dashboard.
- Offline file comparison, modify user privileges (temporally).
- You can manage your site from the command line.
- Obviously customer support.
Here is a price breakdown of the pro version:
All in all, the iThemes Security plugin for WordPress is worth it. Think of it this way; if your site gets hacked, and you don’t have the proper security plugin installed you can easily have to pay $75 to $120 for a server technician to recover your files. I am speaking from experience; it sucks to have to shell out that much money when your site does get hacked. Oddly enough, I did learn my lesson when hosting with Hostgator.com. The free version of iThemes is great, but the paid version is a life saver! There are lots of tutorials you can watch at https://ithemes.com/tutorial/category/ithemes-security/ if you want to see how to use the plugin. If you don’t have a security plugin, you should seriously consider getting one. Another security plugin I have used in the past is Wordfence. It’s also a great WordPress security plugin.
Have you used iThemes Security in the past? If so I would love to hear what you think of it? Is it worth the money, why or why not? Please leave your comments down below.