In this tutorial I'll show you step by step how to configure iThemes Security-the free interpretation. I'll show you how to secure the most crushed login ways on your WordPress website.
how to secure your backend so that nothing can brute force attack you, how to enable or disable . all those emails coming from iThemes, and of course, I'll walk you through all the . options within iThemes.
Now I've created this tutorial as part of my"WordPress Security-The Circle of Five" because this plugin iThemes, is only one of the five security measures that you should . take securing your website.
Your security is just as strong as the weakest link. So surely watch that blogs before you go and install iThemes, because it'll give . you the environment and it'll help you secure every part of your WordPress website.
And I want you to be safe, because I formerly got addressed, times ago in my early times. I have been erecting WordPress websites since 2004, and formerly upon a time, I woke up and . look at my website, and BANG-this is what I saw.
Did it look great? No! Did I abominated it? Yes! Did I fix it? Of course! But forestallment is always better than to fix it. Well, as I've my own public hosting company and my web development agency, I'm responsible . of quite a lot of business on the internet for my websites guests, so yes, it should . be secure.
Are these websites being attacked? Yes joe, every single day we get automated attacks from different countries each around . the world. So follow me, and I'll guide you through this process of installing and securing your .
WordPress website with iThemes. Let's go. Login to your WordPress dashboard. It'll be the last time that you'll be using/ wp-admin/, so enjoy. So you go to'plugins'->' add new'. And we search for plugins"iThemes Security".
You press' Install Now'. And we press' Spark'. When the plugin is actuated we go on the left side we press' Security', and we go to .' Settings'and incontinently, we are starting with the security check. Press'Enable Security Check Pro', and press' Secure Point'.
So fill in your dispatch address right then. And press' Spark Network Brute Force Protection'and' Deflect HTTP requests to HTTPS'. Well done, your point has been secured in the basics.
Alright let's press'Close'. And let's start with all the settings that we need to change. The security check-we just did it, so we can go to the' Global Settings'. Press'Configure Settings'. In then you'll find the global settings.
You can change then the dispatches that people will see when they try to login to. "You have been logged out due to too numerous invalid login attempts.
You really did not suppose we were that stupid, did you?" ."your IP address has been flagged as a trouble by the iThemes network. You really did not suppose we were that stupid, did you?" .
Alright then you can change how numerous times someone will be banned after they try to log into your WordPress website. It's standard on three strikes, we can keep it that way and they remain it for seven days. And if you try to login within 15 twinkles-three times, also you'll be locked out.
Let's change it to 20 twinkles. And if you do not use a VPN, you can press this button and it'll add your current IP . to the authorized Host List. This means that you'll noway be locked out from your own website, it's veritably important . to do that.
Still, if you're like me, you have a VPN. And this IP address will change every time I renew my PC. So i am going to remove this, because it'll not make any sense.
All right, this is each about the log lines. Log lines are veritably handy if you want to see what went wrong occasionally. And we press' Save Settings'. All right, let's go to the' Announcement Center'.
This is veritably important because you do not want to admit an dispatch every single day. So if you just scroll down, you can now change this'Security Digest'.
I would recommend this to turn this off and turn this off because you really do not want to admit every single day an dispatch from iThemes that commodity happenend in regarding to your security. Of course, if you want to admit those refections, and if you are veritably interested, just leave . them on and press' Save Setting'.
Then you can change the stoner groups per stoner what they must do. Well you have to turn this off for all druggies'Manage iThemes Security', you are the only . one that should really do this. We do bear strong watchwords, so that everybody needs to have the strong bones. Press' Coffer', and press'Close'.
All right then's a'404 Discovery'-'Automatically blocks druggies poking around for runners to exploit'. My advice is to enable this one, press'Configure Settings'and let's put them on five twinkles . and 20 crimes.
When they hit 20 crimes they will be blocked out from your website. These lines are on the ignore list- veritably important. And these train types will be ignored because they can not do anything with these lines. Press' Save Settings'.
This is the' Down mode'. If you enable this bone and we go to'Configure Settings'. This way you can just block out your WordPress dashboard in a certain time frame.
So let's circumscribe it from 1AM to 6AM in the night because this is my timezone and I noway worked between one and six. Press' Save Settings'and you will not be suitable to pierce your WordPress website between those Times.
Remember, this is a important point! . You'll Noway be suitable to enter your WordPress website between these times. So suppose about it, remember it, you can not modernize your website by this times and make . sure that your timezone settings is okay, because when this time isn't correct, you . have a problem.
Because you'll be locked out when you are trying to change your website. So keep that in mind. Be careful with this setting. All right, if you are happy with it, press' Save Settings'. And we go to the' Banned Druggies'. You can enable the'HackRepair.com's ban list'this is a veritably good list, just enable this . one.
And if you want to ban a host existent, and you got an IP number, you can add them . then. I am sure you do not have any bad IP's. But if you do, just add them then. Press' Save Settings'. And let's go to the database backup. Still, or your host doesn't produce diurnal backups, ,
If you do not have a database backup inplace.you can produce these diurnal backups and they will telegraph them to you. You press' Enable Slated Database Backups', and you can coagulate the interval for let's . say, one day or three days or 13 days or whatever you would like to do. We're using our hosts to do all the backups and it's a veritably solid system,
so we we don't . enable any settings we just press' Save Settings'. All right, let's enable the' Train Change Discovery'. on this website. With this module enabled, iThemes will constantly check your website, if there have been changes . on your website.
You can overlook the lines right now. And also they can see if there are changes passing on your website. So there are some flyers that you need to count from this list or you'll get emails every single day from changed lines. Just go ahead and when you see those emails,
you can ignore and count those lines from . this module. I am talking about the/ tmp/ train and we can count it. We can also count for illustration, the/ ai1wm- backups/,
we can also count wc-logs, becasuse those . those effects will change veritably frequently. /wpcf7_uploads/ we need to count those from the checkup or you'll get every single day an dispatch, that those lines has been changed. Alright press' Save Settings'.
And we go to' Train Warrants' press the' Cargo Lines Warrants details', and on the . train warrants you'll see that the suggested value must be 755, this is for security reasons. Still, and you will see this warning, you should change these to 755,
If you see lines like this. Because 444 isn't veritably safe. Press'Close'. And we go to the' Original Brute Force Protection'. Then you can change the maximum logins attempts and per stoner and the twinkles out to remember them.
So let's make that three attemps. And let anyone try for five times. And we've to remember it for 10 twinkles. All right, the admin stoner. You should noway have a Admin stoner on your WordPress website because it's the most habituated stoner on the world. So Incontinently ban a host that attempts to login using the admin username.
This is a important point, but remember, if you try to login this way, you'll be . blocked out your own website incontinently. Unless. you have white listed your IP address in the former module. So press' Save Settings'. And we go to' Word Conditions'.
Strong watchwords are enabled. Which one? All of them should use strong watchwords! Press' Save Settings'and we go to'SSL'. we've enabled this bone so it's okay press ' Save Settings'. Also go to the'System Tweaks' press' Enable'and press'Configure Settings'.
All right, we need to cover the system lines, its veritably important so no bone can pierce these . lines. We should disable directory browsing, yes sludge request styles, yes, we should filter . that bone. Still, you can turn this , If you see that your WooCommerce webshop or anything isdysfunctioning.off and see if that fixes your problems.
Suspicious query strings, we should really filter them out, because they will add a lot . of characters and a lot of strings into your URL to see if commodity happens. ' Sludgenon-English Characters', if you have a website that's English or another language, .
just press this bone' Sludgenon-English Characters'so they will be removed automatically. We do not want that so you can safely turn this on if you see any problems with your webshop, or just out to see if that fixes it all. The train writing warrants, yes, we should remove those and you want to disable the PHP . uploads.
We want to disable them in plugins, and we want to disable them in themes. Press' Save Settings'. And we go to the WordPress mariners. It's a secret key that makes your point harder to hack and access by adding arbitrary rudiments to your word. Right, we just change them and press' Save Settings'. Alright, so you have logged out and now we've logged in again and we change the rest.
The last bone, the'WordPress tweaks'Allright the WordPress tweaks are veritably important we . should remove the Windows Live pen title, unless you use Windows Live pen or other . blogging guests that calculate on this train. You should disable this bone. But let's enable it. We should remove the RSD title because we do not need it on this website. Still, also disable this one, If you do integrate services like Flickr. Reduce your comment spam, of course.
Disable the train editor-it's this thing, in' Appearance'there's a train editor. Still, also anyone who can login to your WordPress dashboard can change these , If it'senabled.things.
The XML-RPC point-I've told about this bone in the'WordPress Security-Circle of Five'. And you should really disable this bone. Just so you know, if you are using other third party software, that hooks into your WordPress . website, you should enable it.
Multiple authentication attempts, we should really block it because this is the most habituated . point to hack a WordPress website. Circumscribe access to your REST API. Of course, we should disable your login error dispatches. So nothing sees what happens when they try to login and they get an error communication.
Unique aliases are veritably important. Let's force them to do that and disable the druggies author runners. You should cover your website against Tabsnapping and we should login with dispatch address and username, that's okay, if you want to change that, you can change it to dispatch address only . or username only. Still, I suggest you use dispatch address if You have a non guessable ,
If you want to changeit.email address. But let's leave it the same on this website. All right, let's press' Save Settings'. And now we go to the' Advanced options', we've the admin stoner. Still, also you can change this right then to another one, If you have a admin username.
But this change change could beget comity issues with some plugins or themes. So make sure to make a backup before you do this. The easiest way to do it, is just to remove your admin stoner and produce a new bone. Change your content directory, this is commodity that you shouldn't do on a live website.
I have done it a couple of times, and it broke my website incontinently, because your content . directory is most important to your WordPress website. So noway, ever do this on a live website. Change the database database prefix. It's also a veritably important tool and our database is using the dereliction table prefix"WP,".
This is really a security issue and we should surely change this. We press'Yes'and everything will be changed before our eyes. press' Save Changes'. And now we go to the'Hide Backend' point.
We should really enable this bone. And you can add then another URL that you want to use to login to your WordPress website. You should make this unique. So I for illustration, would do"wp-login-muniblogs". Still, they will be deflect to a custom position, If they try to login with/ wp-admin/.
So let's make the custom position/ gotcha- hacker/. And now they will be diverted to that website. Press' Coffer Settings'. Now we've to login to our website using this URL. Now you better save this URL nearly safe, because if you forget it, you'll noway be . suitable to login again in your WordPress website.
So let's see what happens when we go https//muniblogs.com/wp-admin/. And we will go through the base gotcha hacker maximum Austria fall deifies from the WordPress croaker to stay safe. So that workshop. Alright, you our garçon config rules.
Still, please leave this runner by pressing the cross, If you do not know what this is. Know your website has been completely set up and secured by ITM security Pro. Still, you'll see a little bit of dispatches when , If you press on this little button uphere.
I want to advise you about commodity. You can dismiss them pressing the cross and you can refute the cinches if you see anything intriguing to look at. All right. Veritably good.
You have Secure your WordPress installation with iTunes. I am proud of you. Now that was not so hard was it? So if I helped you out in this blogs hit that like button so I know we're on the right track. It's only one of the five you just did.
So make sure you watch my videotape about the circle five. Still, you can click it right then, If you have not watched it yet. Still, also you should surely watch my other videotape about WordPress ,
If you have formerly watch edit. SEO, because your website deserves to be plant. And I am going to help you with it as good as I can have a stupendous day.