2.8 Install the iThemes Security Plugin

Hello, everyone, I am Reggie Dawson. Welcome to the WordPress security tips course for Tuts+. In this video, we will look at the iThemes Security plugin, which was formerly named Better WP Security. This plugin claims to be the number one security plugin for WordPress. If we go ahead and install the plugin, we will get a new menu item that says Security. If we click on this, we will be prompted to secure our site. First, they will ask that you activate network brute force protection. This serves to pull the resources of all the sites running iThemes security to recognize attackers. It also enables banned users such as the admin account. Then after that it will enable database backups, enable local brute force protection, strong passwords, and WordPress tweaks. Then after that when we click Close, we see the settings. If you ever wanna rerun the security check, all you have to do is choose that option from the dashboard or the Security Check menu item under Security. At the top, we have a message about obtaining an API key for brute force network protection. Now even in the free version, there are a lot of options available in iThemes Security. If we click on Configure Settings under Global Settings, we can decide the way users are notified that they have been locked out. We can also blacklist accounts after being locked out a specified number of times. Here we can set the amount of time that an account is locked out and whitelist any accounts that we don't want to get locked out. Now 404 detection will allow us to block users who get a lot of 404 errors. This operates under the assumption that this user is looking for nonexistent pages because they are trying to find a known exploit. Away mode is useful to block access to the WordPress site at certain times. Since most organizations operate in regular business hours, users will only access the site during these times. This will limit the time intruders have to try and break into your site. Then in the Banned Users, we can enable Ban Lists. We have the ability to ban users by IP address or by the user. Now local brute force protection will let us configure how we deal with suspected brute force attacks. We have the option of setting the max login attempts per host and per user. We can also configure how long to remember a bad login as well as automatically banning a host that tries using the admin account. Unlike the other security plugins that we have looked at, iThemes has a backup feature built in. We can back up the full database and choose the backup method. The choices are email only, locally only, or email and locally. We can also choose how many backups to retain, compress backup files and exclude any tables in the database that we don't wanna back up. At the bottom we have a check box that enables scheduled database backups. Now file change detection is useful because it will notify you if any files have been changed. Then in the File Permissions menu, we can see how the permissions are set on our WordPress files. As I mentioned, we can change permissions in our folder structure to secure our site further. Here, the plugin will let us know what files have security issues. Now Network Brute Force Protection is where we configure our site to use the network version. This kind of brute force protection shares detection information across the clients in the network. Once the host is detected, it will share the host IP of the attacker and protect the other sites on the network. Then SSL will allow us to enable SSL on our site. This provides an additional layer of security to encrypt our data between our server and our host. Then in Strong Password Enforcement, we can decide what the minimum role will be that forces the user to have a strong password. Now System Tweaks has advanced settings that we can use to further secure our site. These are not enabled by default, so we have to click the Enable button first. Once it's enabled, we can protect system files such as wpconfig from public access. Then we can also disable a user from being able to browse a directory on our site. We can also filter requests, filter suspicious query strings, filter nonEnglish characters, and filter long URL strings. We can also remove some file writing permissions from some of our files. Remember we looked at the file permissions a moment ago? We can use this option to secure a few of those files that have a problem. Then the final three options block PHP and uploads, plugins, and themes. Then in WordPress Tweaks, we can remove the Windows Live Writer Header, remove the RSD header, and reduce Comment Spam. We can also disable the File Editor for plugins and themes here. After that, you'll have to manually edit themes in other files. We can also disable XML-RPC, as well as block multiple authentication attempts from it. And then the WordPress REST API can also be restricted from this menu. Then finally the WordPress Salts menu will allow us to generate new WordPress security keys Now there are a few more options, but these are reserved for the premium version of the plugin. Now for the most part, it seems like iThemes offers the best mix of security features without being premium. The different options can provide decent protection for your site.