1. Code
  2. WordPress

A Guide on Using the iThemes Security Plugin


Every popular service or product constantly gets threatened by evil minds. No matter which measures you take, you can't achieve 100% security on the Internet. But with the right tools and some common sense, we can try 99.99%, can't we?

WordPress is the most popular content management system in the world and undoubtedly one of the most secure platforms on the web. But it still needs some security adjustments after installation, and novice users might be vulnerable against hackers – and that's where security plugins come in handy.

In this article, we're going to review one of the best plugins about securing your WordPress website: iThemes Security (formerly known as Better WP Security). We'll be walking through the settings pages and see the features offered by the plugin. In addition to that, we'll review some WordPress security tips.

Let's begin by downloading and installing the iThemes Security plugin.

Installing the Plugin

Even if you've met WordPress and created your first website today, installing a WordPress plugin is extremely easy.

  • Head to the Add New page under the Plugins menu in your administration panel.
  • In the search form, type in "iThemes Security" (case insensitive).
  • See the iThemes Security plugin, and click on the Install link under its name.

On the next page, you need to wait a few seconds for the plugin to be downloaded and installed automatically. (In some hosting environments, you may need to enter your FTP credentials before getting to the installation step.) After the plugin is downloaded and installed, click on the Activate the plugin link to, well, activate the plugin.

Setting Up and Using iThemes Security

Setting up the plugin is really easy – probably one of the easiest among popular WordPress plugins. And we'll go over the installation and usage steps with screenshots so you won't miss anything.

Let's begin!

Setting It Up

When the installation is finished, head back to the Plugins page. You'll see a notice of the iThemes Security plugin:

iThemes Security plugin activation notice

When you click the "Secure Your Site Now" button, you'll see a page with the modal box below:

iThemes Security First Steps
"First Steps" Box

These steps are for the first-time users of iThemes Security:

  • Back Up Your Site: Takes a snapshot of your WordPress installation to let you undo your mistakes if you ever make while setting up the plugin.
  • Allow File Updates: Lets iThemes Security work with the core WordPress files like wp-config.php and .htaccess.
  • Secure Your Site: Enables some recommended settings to secure your website with one click.
  • Help Us Improve: Sends your data (anonymously) to improve the plugin.

After you're done with these steps, you can head to the Dashboard.

"Dashboard" Page

iThemes Security Dashboard
"Dashboard" Page

Here at the Dashboard page, you can check your "security status" by reviewing items that needs to be fixed, or has already been fixed. The items are divided into four categories: 

  1. High Priority items
  2. Medium Priority items
  3. Low Priority items
  4. Completed items. 

I suggest you take care of the items with "high" and "medium" priorities, and review items with "low" priority to see if they would benefit your website's security.

The Settings Page

iThemes Security Settings
"Settings" Page

On this page, you'll notice that there is a lot to read. Don't let it scare you and try to read them section by section:

  • Global Settings
  • 404 Detection
  • Away Mode
  • Banned Users
  • Brute Force Protection
  • Database Backups
  • File Change Detection
  • Hide Login Area
  • Secure Socket Layers (SSL)
  • Strong Passwords
  • System Tweaks
  • WordPress Tweaks

Personally, I didn't even need to change any settings (other than the things I enabled with the First Steps box) but you may opt to switch off 404 detections, turn on the Away Mode (which basically disables the administration panel at certain times of the day), ban users by their IP addresses or IP address ranges, change database backup settings, enable "file change detection", or turn SSL on for front-end and/or backend.

The Advanced Page

iThemes Security Advanced
"Advanced" Page

Unlike the "Settings" page which has a lot of little settings and tweaks, the "Advanced" page has only three very important tools to enhance your website's security:

  1. Change Admin User: A WordPress administrator with a user ID of "1" or the username "admin" could be a serious threat to your website when a new WordPress security flaw emerges in the future. To reduce the risk of getting your website hacked with unknown hacking methods, you should change the admin user's username and ID with this tool.
  2. Change Content Directory: Hackers can scan the web—just like search engine spiders—to find vulnerable files to attack. For example, if a WordPress plugin has a huge security hole and you happen to use it on your website, hackers can track down your website while scanning the wp-content folders of WordPress websites in the world wide web. This tool lets you change the name of the wp-content folder to make it harder to find.
  3. Change Database Prefix: If your hosting provider has vulnerabilities in their servers, hackers can attack them by infiltrating the system. Just like the two above, this tool prevents a potential security risk by letting you change wp_ database prefix and make it harder for hackers to find your database tables.

These are very delicate adjustments and may cause problems (like making it impossible to login or break your database completely), so it's essential to backup your database before making these changes. If any problem emerges, you can just undo what you did by restoring the backup.

Some Extra Tips About WordPress Security

Consider these useful tips and apply them if you can:

  1. Choose a solid hosting provider: Even if you secure your WordPress installation by taking every possible security measure, hackers can take your website down if your servers are vulnerable. Do your research and choose the safest hosting provider in your list.
  2. Invest in using SSL: While the iThemes Security plugin lets you use SSL, you can't enable it without purchasing an SSL certificate first. Contact your hosting provider to enable HTTPS connections in your WordPress website.
  3. Secure your computer and e-mail accounts: Hackers can try anything to crack your passwords, and this includes sending you viruses or trojan horses and retrieve your credentials. Protect your computer and your email accounts by using a decent security software and a safe internet connection.
  4. Have common sense: iThemes Security has your back by taking security measures to protect your WordPress website. But it lacks a feature that can't really be served by any WordPress plugin: common sense. You shouldn't completely rely on anything but your own common sense. It's the most important aspect of securing your website.


As I mentioned in the beginning, you can't achieve absolute security – but that shouldn't keep us from trying to get there. With a decent plugin like Better WP Security, and a little common sense about web security, you can eliminate—almost—all threats.

What do you think about WordPress security? Have you ever used another plugin to secure your WordPress website? Do you have any more tips to protect WordPress websites? If you have anything to share with Tuts+, please share your comments with us below. And if you liked this article, don't forget to share it with your friends!

Looking for something to help kick start your next project?
Envato Market has a range of items for sale to help get you started.