Ultimate Security Guide Part 8/9: Security Plugins

Welcome to our 9-part series of the Ultimate Guide to Protecting Your WordPress Website.

This is Part 8: Security Plugins

You won’t have to be too technical to do these yourselves and I’ll be here showing you on the screen, step by step how to do it.

Here are a few things you’ll need to prepare before starting:

  • WordPress Administrative Area Login URL which is typically in most cases /wp-admin after your domain name
  • Your WordPress administrative username
  • Your Password

Today I’m going to show you how to secure your WordPress website by leveraging security plugins.

As well as all of the security measures before this video, there are tons of plugins you can use to tighten your site’s security and reduce the likelihood of being hacked.

Here are a handful of popular options

Setup & Configuring a Security Plugin

The one we are going to setup in this video is iThemes Security (formerly known as Better WP Security) – very easy to configure, the basic version is free, and is one of the more user friendly security plugins. We recommend getting the pro version which is $80/year.

  1. Go to Plugins, Add New. Search for “iThemes Security”
  2. Install “iThemes Security (formerly Better WP Security)” and Activate the plugin
  3. Disregard the 2 notifications on top and head over and click the “Security” menu option on the left
  4. You will be presented with a popup – Click the “backup” button first, click on “Allow File Updates” next and finally click on “One Click Secure”. Finally find and click the “dismiss” link in the bottom right corner of the popup. Wait till the page refreshes.
    Skip the Dashboard tab and Click on the settings tab.
  5. Next I will go through the minimum recommended settings. Feel free to explore all settings and configurations based on your website environment.Please beware, the wrong setting can break your website. This is why we will discuss only the basic settings.You do NOT have to click “Save Settings” on every section. We will go through all recommended settings and will Save at the end.Please note that we can not anticipate all server environments so even some of the minimum recommended settings may break your site.

    Please read each option explanation carefully and enable at your own risk.

    • Click “Add my IP to Whitelist” so you don’t get locked by mistake
    • (If this is not a membership site) Checkmark “Away Mode” – leave Daily and lock your site admin area between midnight and 6 AM. This is very helpful in minimizing DDoS attacks during the night hours. Beware: if your server is on a different time than you, this will pick the server time and might lock you out.
    • Check “Enable HackRepair.com’s blacklist feature”
    • Enter your email address under “Get your iThemes Brute Force Protection API Key” (you may uncheck the “Receive email updates about WP Security from iThemes” – they will still provide you with the protection)
    • Ensure “Enable local brute force protection.” is checked
    • Ensure “Immediately ban a host that attempts to login using the “admin” username.” is checked. You should have changed that username by now
    • Ensure “Enable Scheduled Database Backups” is checked and set your desired interval.
    • Ensure “Enable strong password enforcement.” is checked and change “Select Role for Strong Passwords” to subscriber. These will force strong passwords for everyone
    • Ensure “Protect System Files” is checked
    • Ensure “Disable Directory Browsing” is checked
    • Ensure “Filter Request Methods” is checked
    • Ensure “Filter Suspicious Query Strings in the URL” is checked
    • Ensure “Filter Non-English Characters” is checked
    • Ensure “Filter Long URL Strings” is checked
    • Ensure “Remove File Writing Permissions” is checked
    • Ensure “Disable PHP in Uploads” is checked
    • Ensure “Remove the Windows Live Writer header.” is checked
    • Ensure “Remove the RSD (Really Simple Discovery) header.” is checked
    • Ensure “Reduce Comment Spam” is checked
    • If you are not using service/plugin like Jetpack, under XML-RPC, select “Disable XML-RPC”
    • Under “Multiple Authentication Attempts per XML -RPC Request” select Block
    • Ensure “Disable login error messages” is checked
    • Ensure “Force users to choose a unique nickname” is checked
    • Ensure “Disables a user’s author page if their post count is 0.” is checked
    • Click Save All Changes

After going trough the minimum settings, you can click the Dashboard tab and see the level of protection you currently have. Configure the rest of the items at your own risk, or just leave them.

That’s it – you’ve set up the security plugin. Thanks for watching this video.

Bookmark this page, subscribe or save it somewhere so you can check back when we publish Part 9/9 next week!

Looking for previous episodes of the Ultimate Guide to Securing Your WordPress site?

If you got any questions or comments, please comment below.