WordPress Websites across the internet are being targeted and crawled every day by hackers and bots, they try password usernames and combinations picked up from the dark web and look for outdated and exploits in the Plugin being used. The iThemes Security Pro WordPress Plugin in 2022 allows you to secure and lock down your entire website to greatly reduce the chances of being breached and hacked.
We look after our physical property, our phones, our cars, our houses generally incredibly well but all too often we neglect and avoid the security of our digital and online security, we should begin to treat our online identities, details, and website as we do with our physical ones – with caution and security.
At WPDesigns we recommend the iThemes Security Pro WordPress Plugin to protect your details, data, and website. We will install and configure iThemes as part of one of our maintenance packages or we can set it up independently.
In this post, we will take a look at the Plugin and the features it offers you.
Table of Contents
Why iThemes Security?
Security is something we take very seriously at WPDesigns and is also something you should too. Your website, business, and your reputation are not built overnight but one hacker can bring it all down in just a few seconds and a few lines of hidden code and some malicious redirects. Once hacked Google will often blacklist your site before you realize there is an issue and rebuilding your reputation with Google is a long and winding road that sometimes never happens.
The iThemes Security Pro WordPress Plugin is created by a team of tech experts who specialize in WordPress and cybersecurity – they know their stuff! But even so, no amount of on-site security can make a website 100% safe, if someone has enough time and resources, breaking into a site is only a matter of time. The access route could be through an outdated Plugin or Theme, a weak/ compromised password (reduce this risk by reading our password security guide.), an exploit that is found or a user interaction that risks site security.
The Plugin allows a dashboard to be integrated into your WordPress Dashboard, this gives you details and stats about the login attempts, lockouts, and other security issues.
The iThemes Security Pro WordPress Plugin is not something that you can set up and then forget about, the Plugin risks breaking some functions and features of websites it is installed on and the website should be checked for any issues. Backups are key and having access to the back-end of your website through Cpanel or similar is even more so. Before we start on any site at WPDesigns, we need this information. We take care of what we do and for this reason, need to make sure we can recover everything if any issues arise.
The Plugin has many ways to protect your site from attacks, hacks, and bots, in the next section we will take a look at a few of the different features available.
iThemes Security Pro WordPress Plugin 2022 Features & Functions
- Banning IP Addresses – This is a useful setting that will allow you to automatically ban and block the IP addresses of known hackers so they cannot even access your website, let alone start probing it for weaknesses and issues that they can exploit.
- Strong Passwords – The Plugin will warn users about weak passwords for user accounts. All passwords should follow the standard password guidelines to remain as safe as possible, compromising on your password jeopardizes the entire site and every other website that is hosted in the same Cpanel account and every subdomain.
- Known Passwords – The iThemes Security Pro WordPress Plugin will run the password against a list of commonly used and hacked passwords for websites and force the user to change the weak or compromised password. You can view the most commonly used passwords and if you find yours… change it immediately!
- Hiding WordPress System Information – This is an important simple but effective step which stops attackers from identifying your WordPress install. The attacker can take the information about your WordPress install and run this information against known issues/ exploits. The WordPress system information should be hidden on all websites.
- Locking Out Users – Users who enter the wrong login information will be locked out after a certain number of attempts. This can be set on the network, host, and user level. You can check the locked-out IPs and remove them from the list if incorrectly added.
The password 123456 was found 23 million times in data breaches
The Top 20 Passwords
- Requiring SSL – This is not a feature that should be missed and should be enabled on the site from its creation. Enabling it from the creation of the website will not only help secure the site but will also stop the “Insecure Content” warning that is found on many browsers.
- Site Scanning – The iThemes Security Pro WordPress Plugin can scan your website for signs of viruses, malware, and other suspicious code. Having these issues identified is a hugely important way to be able to start sorting out the issues as soon as possible.
- Security Check – This is a useful feature that checks your website against all of the recommended features that iThemes offers. It will allow you to take action on the features that are not currently enabled and allow you to check those that are currently enabled.
- 404 Detection – You can choose to block IP addresses that are checking the site for weaknesses by searching for 404-page errors. You can block an IP that exceeds a certain number of 404 errors within a given time. Some hackers and bots will search for 404 pages to find hidden pages that they can exploit and gain access to.
- Database Backups Scheduler – As it says … creates a backup of the database on a fixed schedule but can also be backed up upon request. Making sure you have a good backup of your website is key to saving it if something happens. You ideally need a backup both online and offline to be safe.
- Global Settings – Many of the available site options to configure for the Plugin can be found here.
- Admin User – This will remove any users who have the username “Admin”. This is important as the generic username for a WordPress website is “Admin” and is often the first username attempted by hackers. It will also change the UserID from 1, a way hackers can pull admin usernames. You should not use the name Admin on your website as a username. Bots and hackers can find out your username even if it is not that but iThemes also allows you to hide this from others.
- Hide Backend – The default WordPress login URL is wp-login.php and wp-admin, this is common knowledge for WordPress users and people looking to gain access to WordPress sites. This is the first place people look to gain access to the site. Changing this is advisable but you’ll need to take more steps to stop more determined attempts. You can try it out yourself, go to a site and append /wp-admin and see if you can gain access to their login page. The iThemes Security Pro WordPress Plugin 2022 will allow you to effectively hide the WordPress login page along with giving you other solutions to stop people from finding it and your usernames.
Away Mode – A very useful feature that can lock access to your dashboard between certain hours. Perhaps you only access the WordPress dashboard between work hours, you can set this to block any attempts outside of those hours.
- Change Content Directory – This is a useful feature to help make a hacker’s job more difficult by changing the content directory name. The older bots will be stuck with this but the more modern ones can get past this so this option is not as useful as it may seem but is something that can help.
- Change the Database Table Prefix – By default the WordPress Database will be prefixed with “WP_” followed by a series of numbers, attackers are aware of this and will search the site to find the database. If they have access to your database it is a good stepping stone that allows them to gain access to a lot more.
- Monitor File Changes – It will notify you of any changes to site files, this can be used to detect the upload of unwanted or dangerous files. This option is useful if your site is not being built or regularly updated but, as it says, it will notify you of each file change and if you are changing many files you will not likely see the files changed by someone else unless you comb them thoroughly.
- Notification Centre – This allows you to receive alerts, lockouts, file changes, user changes, and many other features directly into your inbox.
WordPress Salts – Make an update to the secret keys that WordPress uses to store the passwords for the site. The password salts used on a website are important otherwise the password is left exposed to anyone who has access legitimate or illegitimate. Without a password salt, the password would be visible to anyone looking.
- WordPress Tweaks – A set of advanced settings that improve website security by changing default WordPress behavior
- User Groups – With User Groups you can control the access and levels of particular users of the site
- Local Brute Force Protection – This is a great feature that will block users from trying to guess the usernames and passwords on a website. Brute Force attacks are one of the most popular forms of website attack and should not be underestimated. A bot or hacker with unlimited attempts to guess your username and password will undoubtedly succeed.
- Network Brute Force Protection – Adds your website to a list of websites that coordinate together and share the details of attacks and work together to protect against bad actors online. This is a great idea that helps to stop numerous attacks as the network is made up of thousands and thousands of users notifying of the latest attacks.
- Server Configuration Rules – These are the server configuration rules that need to be added to secure your site at the server level.
Wp-config.php Rules – You can manually update your wp-config.php file with the rules generated here. Be careful when editing this file and a copy of this file should be taken of it before editing in case of an issue.
- Magic Links – The iThemes Security Pro WordPress Plugin 2022 gives you this useful feature that allows genuine users the ability to log in using a link sent to their email addresses. This is also good for allowing accidentality-locked out users to gain access again without having to wait for the set time or contact an Administrator to remove them from the blocked user’s list. If the hacker has access to the user’s email this feature can provide an easy access point to the website so it should not be used for high-level and admin users.
- Malware Scan Schedule – This feature is good as it will check the site for malware, viruses, and exploit code. The website can be set to scan every day and if an issue is found it will alert the user immediately.
- Passwordless Login – This utilizes the magic link and allows users to log in through that, as with the magic link this can be good for lower-level accounts but should not be used for the higher levels.
- Privilege Escalation – This allows the website Administrators to temporarily grant access to other site users for a while. This could be for numerous reasons and the access is revoked after some time.
- reCAPTCHA – Created and maintained by Google, reCAPTCHA is a great feature that helps to protect sites from bots and spammers by verifying the user as a human. This can be done in the background determined by the way they interact with the site or through a direct challenge.
- Settings Import and Export – This allows you to import and export your predetermined iThemes Security Pro for WordPress settings onto another site or as a backup for the settings on the current one.
- Security Dashboard – The Security Dashboard is a great way to see what exactly is going on with your site in terms of security and recent activity. You can create custom dashboards and drag and change the elements that you can see. This allows you to choose the most important features for you and your site.
- Two Factor Authentication – One of the best features in iThemes Security Pro WordPress Plugin 2022 is the offering of 2FA or Two Factor Authentication. It is an incredibly effective security measure that should not be overlooked but often is by too many, this option on its own would stop many break-ins and breaches. The idea behind 2FA is to make sure that even if the account becomes compromised through the username and password the account still cannot be accessed. The user will be sent a code by email, text, or an authenticator app such as Google Authenticator. 2FA is becoming more and more commonplace and is a very good way to secure accounts as even if the username and password are breached the account cannot be accessed without the extra code.
- User Logging – This tracks accounts on the website, logging all of their actions, posts, edits, saves, etc. This is perhaps invasive but depends upon the type and style of website you are using it on.
- User Security Check – Every user account on your website presents a security risk, it is important to be able to see how each user is affecting your overall website security and what action needs to be taken to upgrade the security. What access do the users have and how secure are they are their security settings? If they are breached can they bring down the entire site, the pages, the posts? Knowing which users have what ability is important.
- Version Management – Protect your website by restricting certain actions when there is outdated software and it is not updated quickly enough. If the site becomes outdated and a high-security risk then iThemes will block the users from accessing certain features and functions until the site is updated and secured again.
- Trusted Devices (Beta) – Trusted Devices allow you to have full access to the website dashboard when using a trusted device but they will be restricted with the actions they can take when logging in from another device. This can be an issue for devices with dynamic IP addresses. I am looking forward to this feature being developed further as I have had issues with it in its current form but I believe the Trusted Devices feature could be a great step forward for WordPress security.
How Should You Use The iThemes Security Pro WordPress Plugin?
As a WordPress user on a daily basis having to completely review all of the individual security actions taken each day by the iThemes Security Pro WordPress Plugin 2022 would not only be extremely time-consuming but also not particularly easy. Luckily for yourself and other security conscious WordPress users the iThemes dashboard is great! The security Plugins Dashboard can be customized to present the most important and relevant information you need and removes the information you don’t immediately need to see. You can see stats in real-time, monitor active lockouts, logged-in users, recent attacks, Plugins presenting a security risk, and suspicious activities and the list goes on! In brief, it gives you what you need to see in small bite-size information chunks that are easy to understand and comprehend, these are called “cards” and make it easy-to-understand. Each card represents a security area and can be arranged, made visible or not as desired.
When setting up the iThemes Security Pro WordPress Plugin you must be careful when enabling certain features as they could adversely affect your website if there is another website Plugin or function that relies on it. It is advisable to take a backup of the website before making any changes and also worth knowing how to disable to Plugin through your Cpanel file system in case of getting locked out by accident.
The iThemes Security Pro WordPress Plugin is an incredibly powerful and feature-packed plugin that manages to do all of this within a small price tag and minimum impact on website performance.
The dashboard and way the features are broken up is very user-friendly and makes this a great solution for anyone looking for a security plugin.
Whether you are a small-time business or a bigger business looking to protect your website and its data then iThemes Pro has what you need. With all this said, it is only a plugin and comes with some limitations.
The Plugin is not going to be able to stop every attack and every piece of malware that is out there and it will consume some minor resources on your hosting – having a minimum of 1GB of RAM is recommended to make sure the plugin fully can run without impacting the performance of your website. If you have less than 1GB of RAM for your website I would suggest looking to upgrade your host anyway.
The issues mentioned here are true of all WordPress security plugins that are available at the current time and this option is the best we at WPDesigns have come across.
What can WPDesigns do for you?
WPDesigns will ensure that iThemes Security is set up for your site and will cover everything needed to ensure your site is as secure as possible. We will require access to your CPanel account and access to your WordPress Dashboard so that everything is done securely and correctly. Once installed and added, all the options will be checked for conflicts and any loss of functionality to the website. If you would like us to install and set up iThemes Security Pro WordPress Plugin for you then you can contact us.