Security is a hot topic for thousands of WordPress users and it’s been a theme that I’ve been passionate about lately. I just conducted a guided tour of how the iThemes Security plugin works, why it’s useful and the underlying thoughts in changing the settings and benefiting the most from the free plugin. I shared my live review with the local Arizona WordPress Group, and thought I’d share some of my takeways with you.
Before you install this plugin, I strongly recommend to read my how to approach WordPress security. Installing the iThemes Security plugin will not benefit you unless you understand the big picture of securing your WordPress website. Security is a moving target.
Warning: Do not enable all the security fixes at once. Doing so could break your site and you won’t know what change in particular caused any errors. Also, not all recommended fixes need fixing. Make changes one at a time!
So, here’s my advice on the following areas of the iThemes Security WordPress plugin.
Installation & Updates
I’ve used this plugin for a few years without issue. Installation is easy. Just search for “iThemes Security” when adding plugins. Since it was acquired by iThemes, it has been actively maintained and actually has a very long title, “iThemes Security (formerly Better WP Security)”
A special point to keep in mind – if your website is already hacked, the plugin may have difficulty getting installed. If your site is already hacked, consider having Sucuri fix it for you.
The Dashboard is pretty straightforward and is the first place everyone should look at. It will give recommendations broken out by severity. Not all risks are risky – consider your own individual experience and your web hosting provider. If your Managed WordPress host provides automatic backups, don’t enable automatic backups. Not sure? Just ask them because they will be happy to tell you.
Click the blue “Fix” button next to items you’d like to implement. It will prompt you confirm and make more changes to the item in question. Underneath each item, you can click Save to apply the changes.
A nifty feature of the dashboard is a detailed overview of your current hosting environment, IP address, browser user agent and other technical details.
I applaud iThemes Security for the user-friendly Settings screen. It’s easy to use and the descriptions are important to help you decide if you wish to apply the changes. It is okay to not make all the changes and you can usually Google the topic to learn more about it.
When you made a change, make an effort to change one item at a time and click save. If a problem occurs, you can quickly nail down why it happened and can recover from it easily.
As the “Advanced” section suggests, more technical settings are managed here. As I mentioned, before adjusting these settings, you should be comfortable accessing your server via FTP and being able to manage your MySQL database. From experience, I haven’t had any issue, but the functions here have the possibility of breaking your WordPress installation.
Notable settings that can be managed here include changing your database prefix (example: wp_users to f35yq_users), obfuscating the wp-content folder and other nifty improvements.
If your WordPress hosting provider already performs automated backups, do not use iThemes backup features. Backing data on the server and database are incredibly taxing on the servers. But if you are on a shared host or otherwise don’t have automatic backups, this feature is excellent.
It’s not as powerful as BackupBuddy, another iThemes product, but if you wreck your WordPress site, you can recover from it.
I enjoy browsing my logs to see what type of attacks are happening on my sites. Most often, users will see invalid login attempts at all hours of the day and night with many users that don’t exist. In the logs, you’ll also find invalid file access attempts, which are automated scans against your site. Within the logs, you also have access to the IP address along with a link to a geo-location service so you can see what network and location the attack was from.
My own personal preference is to review and block frequent hits from similar networks by blocking last octet of the IP address (Class D), because it’s a sign that the network is unsafe or poorly managed.
All in all, iThemes Security is a useful tool to learn and improve your site’s security. The frequent updates it receives is a sign that it’s actively maintained by security researchers and WordPress aficionados. That said, for those who don’t have a strategy securing their WordPress site, this plugin might not help because certain behaviors may still exist.
For those that need support or hands-on guidance using iThemes Security – because it can be overwhelming at first glance – they offer a premium service offering support. If your site is already hacked, it is worth hiring Sucuri to analyze and remove any such hacks on your server, then use iThemes to limit the possibility of future compromises.
iThemes Security Plugin Screenshots
This post is a part of my 60 days of blogging. Read more about #60DOB.
Photo credit: iThemes Security; WordPress.org