WordPress is the most popular website platform currently on the web.

It’s solid, easy to use and because of it’s popularity, it’s weaknesses are more well known to bots and hackers out there who like to mess things up for humble bloggers like us.

The good news is that these little weaknesses that everyone knows of can be easily stitched up with a plugin called iThemes Security and a few tweaks. So I do this on each and every website I create.

So below I have a video aswell as the written steps to getting your WordPress website secured using iThemes Security.

Please note: You can never be 100% unhackable.  While the following will dramatically decrease the odds of your website being hacked or injected with Malware there’s always a possiblity that someone can get in if they’re serious and smart enough.  This post also contains some affiliate links I earn a commission from when purchased – I’d recommend them even if i didn’t and they come at no extra expense to you.

Subscribe to my YouTube Channel Here

Disclaimer: By watching this video you consent to the use of YouTube’s Cookies.

First, Back Up

When you start playing with these settings, they will change your website and therefore there’s a possiblity that you may experience some problems – including a WorPress crash.

I highly recommend backing up before getting started!

If your host has a backup feature, I’d use that or you can schedule regular backups using BackupBuddy – which is an awesome tool.

Backing up regularly is one of the best forms of security you can implement.  Regardless of if or when your site goes down, a recent backup and can fix the problem rather quickly.

Install iThemes Security & run a a Security Check

It’s simple, go to ‘Plugins’, then ‘Add new’ and search for iThemes Secutrity in the WordPress repository.

Install iThemese Security

Install and activate!

Secure your site

The go to the tab on the left of your dashboard that says ‘Security’, you’ll be prompted to run a security check.  Do this, secure your site by and move on to the next step.  If you aren’t prompted automatically, it’s the first option on the top left of the page after you enter the Security Settings.

Global Settings

There’s a box at the top of the page called ‘Global Settings’, click the ‘configure’ button in that box. These are just some basic settings to make sure the plugin works properly and secures you against some known offenders.

Global Settings

Make sure the following are ticked:

  • ‘Allow iThemes Security to write to wp-config.php and .htaccess.’
  • ‘Enable Blacklist Repeat Offender’

Then scroll down and add your current IP to the Whitelist.  All other settings are fine, click the button ‘Save Settings’.

Enable 404 Protection

People will quite often go scannign a website for a vulnerable webpage they can use to hack into your site.  This triggers a lot of pages that don;t exist and an unusually high number of ‘404’ errors popup.

So we can lock people out who trigger an unusually high number of 404 errors.

No need to configure this one as the default settings are fine. Simply click ‘Enable’ and you’re good to go!

Enable Banned Users

Some people are bad news, so you can simply ban known users and people with suspicious activity from accessing your site.

This is simple, Enable and configure, the on the popup ticket the two boxes:

  • ‘Enable HackRepair.com’s blacklist feature’
  • ‘Enable Ban Lists’

Save the settings and move on again!

Enable Database Backups

Backup your database regularly just in case things go south. Enable this feature and just click ‘configure’ to check you are happy with the settings. I like to simply be emailed the backups so next to Backup method I usually select ‘Email Only’.

Just confirm that ‘Enable Scheduled Database Backups’ is ticked. Save your settings and move on.

Again, I recommend Backup Buddy to schedule full website backups so you have everything you could need if your site goes down.

System Tweaks & WordPress Tweaks

There are two areas that have a series of settings you can enable to that add an added layer of protection:

  • System Tweaks
  • WordPress Tweaks

Enable both, and configure each by ticking all of the available options.  If you find some problems arise with plugins or functionalityon your site, consider disabling these.

Change WordPress Salts

WordPress uses encrypted keys to keep elements of your site secure, changing these WordPress Salts will harden them up, making them even more secure.

WordPress Salts

Click Configure Settings, tick the box and save settings.

Warning – this will log you out of WordPress, so you will have to log back in to continue from there.

Change Database Table prefix

Sometimes when a bot or hacker goes after your database, it has an understanding of certain bits of code within it it can modify. Changing the Database Table Prefix makes this just a little less predictable and safe.

Now, this can cause database issues, which is why I do it when I first install WordPress but not on an aged website.

Change Database Prefix
Change Database Prefix

But if you’re just building a new site, head to the tab on the top right that says ‘Advanced’, click ‘Configure Settings’ under ‘Change Table Prefix’.

Once the screen pops up, click the dropdown, select ‘Yes’ and then ‘Save Settings’.

Protect against Brute Force Attacks

Brute Force attacks are when bots try to log in to your website by visiting your login page and guessing your username and password over and over to gain access.

This can be throttled quite easily though by enabling a few features, changing the address of the login page, and using hard to guess usernames and passwords.

So let’s get into it.

Local Brute Force Protection & Network Brute Force Protection – find on the main security screen and Enable these features.

Change the Login Page Address by heading to the ‘Advanced’ section (top right tab) and configuring ‘Hide Back End’.

Check the box ‘Enable the hide backend feature.’ and enter a new, hard to guess, login page address next to ‘Login Slug’. Click ‘Save Settings’. NOTE: Remember to save this new address so you know where you need to go in the future to log into your website.

Enable Strong password Enforcement back in the main Security dashboard.  I usually only apply it to Administrators but you can choose ‘Subscriber’ if you really want to nail it down.

Is your username ‘Admin’? This is an easy to guess username and is highly vulnerable to Bruteforce attack, you can change this by…

Use Two Factor Authentication. This isn’t available in the free version, but I put it here as it is a terrific way to make your website more secure. Basically after you log in you are  sent a verification code (email, phone app, there’s a few options) that you enter to gain access.  This is highly recommended, but you do need iThemes Security Pro to access this feature.

Additional Tips

While we’re here securing your WordPress website, there’s a few more things we can do to make sure things are tightened up properly.  some of those things are:

Update WordPress, Plugins and Themes Regularly

When a plugin, theme or WordPress has an update, they quite often patch up security issues that have been discovered.

When you log into WordPress, hover over the top menu item on the left ‘Dashboard’, on the fly out click ‘Updates’.  Ther eyou can go through an update everything that is out of date.

Here’s  a quick video that may help:

Disclaimer: By watching this video you consent to the use of YouTube’s Cookies.

Delete Plugins and Themes you aren’t using

So, first of all by deleting unused plugins and themes then you won’t have to update them.  But some may be be carrying vulnerabilities whether they’re updated or not.  So instead of having them there as a potential backdoor, just delete them.

You can easily delete these in their pages found in the WordPress dashboard.

Change the User Display name

Go to your user page and make sure you username isn’t being publicly displayed.  That mean sit may popup in commenting and throguh out your website.  Enter your first name, last name and a nickname and then click the dropdown to choose a new public display name.

Change Public Name

Don’t allow just anybody to register a user account

There are bots out there you simply go around creating user accounts on WordPress websites. This isn’t good, nip it in the bud by going to Your General WordPress settings and unticking the box ‘Anyone Can Register’.

Dont allow just anybody to register

Actually, delete any users that shouldn’t be there.

Sign up for HTTPS

Talk to your host and get an SSL certificate for your website. This will encrypt communications between users and your website and make things safer.\

Some hosts offer these for free, this why I recommend a quality web host.  Speaking of web hosts…

Use Quality Hosting

If you have a dodgy webhost hosting your website than all of your efforts could be offset by their crappy service. I recommend the Hostgator cloud plans as they have performed solid for me and many others for years.

If you wanted to take it to next level, WP Engine are more expensive but offer a far superior service.

Again, thanks for reading, see you again soon!

Related Posts for WordPress Advice & Tutorials