Using a WordPress security plugin like iThemes Security Pro is a great way to secure your WordPress site. In this post, we cover 5 iThemes Security tips to help secure your WordPress website.
WordPress security can seem like a daunting task, but the good news is managing your security strategy can be a painless experience.
1. Strengthen WordPress Logins
Brute Force is the most basic type of WordPress attack. WordPress brute force attacks occur when an intruder attempts to log into a WordPress site by guessing combinations of username and passwords until they successfully login. A bot can quickly scrape the site to see if you have any posts, plugins or themes that may be linking to a legitimate username. Now that they have found a potential username, all they need is the WordPress user’s password to gain access to the WordPress admin.
Unfortunately, most people don’t follow the WordPress password security best practices, and they reuse username and passwords on multiple sites. The credentials they use may have been part of one of the 5,371,313,595 compromised accounts known to hackers. So an intruder can now run the username against a database to see if they can find the matching password. The attack strategy went from randomly guessing WordPress username and passwords to a process of elimination.
WordPress Password Requirements
Well, guess what, bot, we are ready for you. iThemes Security Pro has incorporated the haveibeenpwned API which will prevent users from using compromised passwords that are tracked by the API.
In the Refuse Compromised Passwords setting, you can select the minimum role at which a user’s password must not appear in a known breach database.
We aren’t done yet. We made things harder on that nasty bot, but it is still a bot and the only thing on its agenda is to guess our password.
Let’s make things even harder on this bot by leveling up the password game for your WordPress login. Using the iThemes Security Pro’s Strong Passwords feature allows you to force users to use strong WordPress passwords that are not easy for a bot to guess.
With these two settings activated, you can set your users up for success by giving them the tools to follow the best practices for WordPress passwords.
Enable WordPress Two-Factor Authentication
We don’t like this persistent little bot so let’s make things even hard on it by adding an extra step to the WordPress login. Two-factor authentication adds a solid layer of security to any WordPress site especially when the authentication method is token-based and requires a physical device to log in.
With iThemes Security Pro’s WordPress two-factor authentication setting, you can quickly enable the mobile app method of two-factor authentication on your WordPress site. Here’s more on how to set up two-factor using Google Authenticator with iThemes Security.
Once the mobile app method is configured, a bot should give up and move on. No matter how persistent it is, it will never have access to your phone to see the required token needed to log in.
Learn more about how to get started with passwordless logins. Download the new ebook: Getting Started with Passwordless LoginDownload now
2. WordPress Version Management
Running outdated software is the number one reason a WordPress site or blog gets hacked.Running outdated software is the number one reason a WordPress site or blog gets hacked. Keeping your WordPress website up to date is easy, and the updates will often include critical security updates.
Bots will scour the internet looking for WordPress sites running outdated software with known WordPress vulnerabilities. When you leave software out of date, you are giving a would be hacker the blueprint to bypass all other security measures you have added to the site. It is easier, cheaper and less time consuming to update than it is to deal with cleaning up a WordPress hack that should have been prevented.
Automatic WordPress Updates
Enabling the iThemes Security Pro WordPress Version Management feature will automate updates of WordPress core, plugins, and themes. This means your site will have the most recent security patches without any effort required by you. Automating WordPress Security is so cool!
Scan Hosting Account for Old/Outdated WordPress Sites
Bots will also try to find forgotten or incomplete WordPress installs that they can easily exploit. iThemes Security’s WordPress Version Management feature will perform a daily scan of your hosting account and alert you if it finds anything that needs your attention.
3. Review WordPress Security Logging
Keeping track of the activity that happens on a WordPress site is another great security tool to add to your arsenal. These logs can answer the when, what and how something was changed or added to the site.
WordPress User Logs
The iThemes Security WordPress User Logging feature lets you keep track of what users are doing on your WordPress site. The WordPress security logs will record when a user logs in and out and the IP used. It also documents any WordPress plugin or theme changes made by the user, like installing, deleting, activating, de-activating and updating. The Security logs will also monitor content changes like adding or editing new posts or pages.
If a bot is somehow was able to log in and add tons of pharma spam to your site, you will be able to quickly ban the bot and remove all of the unwanted spam. If the bot has created new users to try to hide its activity, you can use the WordPress Security logs to find this out too and then remove the users before they can create any more havoc on the site.
WordPress Malware Scan and File Change Scans
A good part of any WordPress Security routine is to scan for malware and changes made on your site. Using iThemes Security Pro’s WordPress malware scan, you can your site automatically scanned daily and record the results in the WordPress security logs. Information is power and keeping track of important events gives you the data you need to take appropriate action to lock down your website.
Get simple tips for better WordPress security. Download the new ebook: WordPress Security Pocket GuideDownload now
4. Activate Magic Links
Whitelisting a WordPress user’s IP in iThemes Security prevents them from locking out their WordPress username. However, if that annoying bot from earlier is attempting to use their username in a Brute Force attack, you will still want to lock out the username to lockdown the WordPress login.
In the past, the user would try to log in and be met with a lockout message, causing them to be confused and would have resulted in more work for you to clear the lockout and allow them to log in.
Allow Legitimate WordPress Users to Bypass Lockouts With Magic Links
Now the user will be met with an option to send a Magic Links to their email to bypass iThemes Security lockouts and log in. They will still need to enter their correct WordPress username and password before magically bypassing the lockout.
5. Manage iThemes Security Settings from iThemes Sync
iThemes Sync allows you to manage multiple WordPress sites from one location. This means you can perform some of your security tasks without having to log in to dozens of websites.
From the Security tab in your iThemes Sync dashboard, you can import/export iThemes Security settings from one site and then import those settings to a new site, release iThemes Security lockouts, temporarily override iThemes Security Two-Factor authentication and even temporarily whitelist your IP.
Now go and use these 5 tips harden the security on your WordPress sites.