iThemes Security WordPress Tutorial 2020

Sep 17, 2020 | Security

In this tutorial we will secure your WordPress website from hackers using the iThemes Security Plugin – FREE version. No need for a creditcard, this is a golden plugin right here.

?????? Start here ??????

I want you to succeed with your website, so lets get started.

0:00 iThemes Security WordPress Tutorial 2020 – Intro
1:52 Installing iThemes
2:24 Security Check

Recommended settings:
2:55 Global Settings
4:24 Notification Center
4:56 User Groups
5:18 404 Detection
5:47 Away Mode
6:49 Banned Users
7:10 Database Backup
7:47 File Change Detection
8:58 File Permissions
9:24 Local Brute Force Protection
Password requirements
10:28 SSL
10:36 System Tweaks
11:55 WordPress Salts
12:13 WordPress Tweaks

Advanced settings:
14:08 Admin User
14:32 Change Content Directory
14:52 Change Database Table Prefix
15:16 Hide Backend
Server Config Rules

16:39 iThemes Security Admin Messages
16:54 A Word from the Doctor – Outtro  

✅For tips and tricks on getting the most out of WordPress, don’t forget to subscribe:

iThemes Security WordPress Tutorial 2020


In this tutorial I will show you step by step how to configure iThemes Security – the free version. I will show you how to secure the most abused login ways on your WordPress website, how to secure your backend so that nobody can brute force attack you, how to enable or disable all those emails coming from iThemes, and of course, I will walk you through all the options within iThemes. Now I have created this tutorial as part of my “WordPress Security – The Circle of Five” because this plugin iThemes, is only one of the five security measures that you should take securing your website. Your security is just as strong as the weakest link. So definitely watch that video before you go and install iThemes, because it will give you the context and it will help you secure every part of your WordPress website. And I want you to be safe, because I once got hacked, years ago in my early years. I’ve been building WordPress websites since 2004, and once upon a time, I woke up and look at my website, and BANG – this is what I saw. Did it look great? No! Did I hated it? Yes! Did I fix it? Of course! But prevention is always better than to fix it. Well, as I have my own national hosting company and my web development agency, I am responsible of quite a lot of traffic on the internet for my websites clients, so yes, it should be secure. Are these websites being attacked? Yes sir, every single day we get automated attacks from different countries all around the world. So follow me, and I will guide you through this process of installing and securing your WordPress website with iThemes. Let’s go.

Login to your WordPress dashboard. It will be the last time that you will be using /wp-admin/, so enjoy. So you go to ‘plugins’ -> ‘add new’. And we search for plugins: “iThemes Security”. You press ‘Install Now’. And we press ‘Activate’. When the plugin is activated we go on the left side we press ‘Security’, and we go to ‘Settings’ and immediately, we’re starting with the security check. Press ‘Enable Security Check Pro’, and press ‘Secure Site’. So fill in your email address right here. And press ‘Activate Network Brute Force Protection’ and ‘Redirect HTTP requests to HTTPS’. Well done, your site has been secured in the basics. Alright let’s press ‘Close’.

And let’s start with all the settings that we need to change. The security check – we just did it, so we can go to the ‘Global Settings’. Press ‘Configure Settings’. In here you will find the global settings. You can change here the messages that people will see when they try to login to. “You have been logged out due to too many invalid login attempts. You really didn’t think we were that stupid, did you?” “your IP address has been flagged as a threat by the iThemes network. You really didn’t think we were that stupid, did you?” Alright here you can change how many times someone will be banned after they try to log into your WordPress website. It’s standard on three lockouts, we can keep it that way and they remain it for seven days. And if you try to login within 15 minutes – three times, then you will be locked out. Let’s change it to 20 minutes. And if you don’t use a VPN, you can press this button and it will add your current IP to the authorized Host List. This means that you will never be locked out from your own website, it is very important to do that. However, if you are like me, you have a VPN. And this IP address will change every time I restart my PC. So i’m going to remove this, because it will not make any sense. All right, this is all about the log files. Log files are very handy if you want to see what went wrong sometimes. And we press ‘Save Settings’. All right, let’s go to the ‘Notification Center’. This is very important because you don’t want to receive an email every single day. So if you just scroll down, you can now change this ‘Security Digest’. I would recommend this to turn this off and turn this off because you really don’t want to receive every single day an email from iThemes that something happenend in regarding to your security. Of course, if you want to receive those meals, and if you’re very interested, just leave them on and press ‘Save Setting’. Here you can change the user groups per user what they must do. Well you have to turn this off for all users ‘Manage iThemes Security’, you’re the only one that should really do this. We do require strong passwords, so that everybody needs to have the strong ones. Press ‘Safe’, and press ‘Close’. All right here is a ‘404 Detection’- ‘Automatically blocks users snooping around for pages to exploit’. My advice is to enable this one, press ‘Configure Settings’ and let’s put them on five minutes and 20 errors. When they hit 20 errors they will be blocked out from your website. These files are on the ignore list – very important. And these file types will be ignored because they can’t do anything with these files. Press ‘Save Settings’. This is the ‘Away mode’. If you enable this one and we go to ‘Configure Settings’. This way you can just block out your WordPress dashboard in a certain time frame. So let’s restrict it from 1AM to 6AM in the night because this is my timezone and I never worked between one and six. Press ‘Save Settings’ and you won’t be able to access your WordPress website between those times. Remember, this is a powerful feature! You will NEVER be able to enter your WordPress website between these times. So think about it, remember it, you cannot update your website by this times and make sure that your timezone settings is okay, because when this time is not correct, you have a problem. Because you will be locked out when you’re trying to change your website. So keep that in mind. Be careful with this setting. All right, if you’re happy with it, press ‘Save Settings’. And we go to the ‘Banned Users’. You can enable the ‘’s ban list’ this is a very good list, just enable this one. And if you want to ban a host individual, and you got an IP number, you can add them here. I’m sure you don’t have any bad IP’s. But if you do, just add them here. Press ‘Save Settings’. And let’s go to the database backup. If you don’t have a database backup in place, or your host does not create daily backups, you can create these daily backups and they will email them to you. You press ‘Enable Scheduled Database Backups’, and you can backup the interval for let’s say, one day or three days or 13 days or whatever you would like to do. We are using our hosts to do all the backups and it’s a very solid system, so we we don’t enable any settings we just press ‘Save Settings’. All right, let’s enable the ‘File Change Detection’. on this website. With this module enabled, iThemes will constantly check your website, if there have been changes on your website. You can scan the files right now. And then they can see if there are changes happening on your website. So there are some folders that you need to exclude from this list or you will get emails every single day from changed files. Just go ahead and when you see those emails, you can ignore and exclude those files from this module. I’m talking about the /tmp/ file and we can exclude it. We can also exclude for example, the /ai1wm-backups/, we can also exclude wc-logs, becasuse those those things will change very often. /wpcf7_uploads/ we need to exclude those from the scan or you will get every single day an email, that those files has been changed. Alright press ‘Save Settings’. And we go to ‘File Permissions’ press the ‘Load Files Permissions details’, and on the file permissions you will see that the suggested value must be 755, this is for security reasons. If you see files like this, and you’ll see this warning, you should change these to 755. Because 444 is not very safe. Press ‘Close’. And we go to the ‘Local Brute Force Protection’. Here you can change the max logins attempts and per user and the minutes out to remember them. So let’s make that three attemps. And let anyone try for five times. And we have to remember it for 10 minutes. All right, the admin user. You should never have a Admin user on your WordPress website because it’s the most used user on the world. So immediately ban a host that attempts to login using the admin username. This is a powerful feature, but remember, if you try to login this way, you will be blocked out your own website immediately . Unless… you have white listed your IP address in the previous module. So press ‘Save Settings’. And we go to ‘Password Requirements’. Strong passwords are enabled. Which one? All of them should use strong passwords! Press ‘Save Settings’ and we go to ‘SSL’. we have enabled this one so it’s okay press ‘Save Settings’. Then go to the ‘System Tweaks’ press ‘Enable’ and press ‘Configure Settings’. All right, we need to protect the system files, its very important so no one can access these files. We should disable directory browsing, yes filter request methods, yes, we should filter that one. If you see that your WooCommerce webshop or anything is dysfunctioning, you can turn this off and see if that fixes your problems. Suspicious query strings, we should really filter them out, because they will add a lot of characters and a lot of strings into your URL to see if something happens. ‘Filter non-English Characters’, if you have a website that is English or another language, just press this one ‘Filter non-English Characters’ so they will be removed automatically. We don’t want that so you can safely turn this on if you see any problems with your webshop, or just off to see if that fixes it all. The file writing permissions, yes, we should remove those and you want to disable the PHP uploads. We want to disable them in plugins, and we want to disable them in themes. Press ‘Save Settings’. And we go to the WordPress salts. It’s a secret key that makes your site harder to hack and access by adding random elements to your password. Right, we just change them and press ‘Save Settings’. Alright, so you have logged out and now we have logged in again and we change the rest. The last one, the ‘WordPress tweaks’ Allright the WordPress tweaks are very important we should remove the Windows Live writer header, unless you use Windows Live writer or other blogging clients that rely on this file. You should disable this one. But let’s enable it. We should remove the RSD header because we don’t need it on this website. If you do integrate services like Flickr, then disable this one. Reduce your comment spam, of course. Disable the file editor – it is this thing, in ‘Appearance’ there is a file editor. If it’s enabled, then anyone who can login to your WordPress dashboard can change these things. The XML-RPC feature – I have told about this one in the ‘WordPress Security – Circle of Five’. And you should really disable this one. Just so you know, if you’re using other third party software, that hooks into your WordPress website, you should enable it. Multiple authentication attempts, we should really block it because this is the most used feature to hack a WordPress website. Restrict access to your REST API. Of course, we should disable your login error messages. So nobody sees what happens when they try to login and they get an error message. Unique nicknames are very important. Let’s force them to do that and disable the users author pages. You should protect your website against Tabsnapping and we should login with email address and username, that is okay, if you want to change that, you can change it to email address only or username only. If you want to change it, I suggest you use email address if You have a non guessable email address. But let’s leave it the same on this website. All right, let’s press ‘Save Settings’. And now we go to the ‘Advanced options’, we have the admin user. If you have a admin username, then you can change this right here to another one. But this change change could cause compatibility issues with some plugins or themes. So make sure to make a backup before you do this. The easiest way to do it, is just to remove your admin user and create a new one. Change your content directory, this is something that you should not do on a live website. I’ve done it a couple of times, and it broke my website instantly, because your content directory is most important to your WordPress website. So never, ever do this on a live website. Change the database database prefix. It’s also a very powerful tool and our database is using the default table prefix “WP_”. This is really a security issue and we should definitely change this. We press ‘Yes’ and everything will be changed before our eyes. press ‘Save Changes’. And now we go to the ‘Hide Backend’ feature. We should really enable this one. And you can add here another URL that you want to use to login to your WordPress website. You should make this unique. So I for example, would do “wp-login-mex-austria”. If they try to login with /wp-admin/, they will be redirect to a custom location. So let’s make the custom location /gotcha-hacker/. And now they will be redirected to that website. Press ‘Safe Settings’. Now we have to login to our website using this URL. Now you better save this URL somewhere safe, because if you forget it, you will never be able to login again in your WordPress website.

So let’s see what happens when we go And we will go to the page “Gotcha Hacker! MEX Austria followed the advice from the WPress Doctor to stay safe. So that works. Alright, here are your server config rules. If you don’t know what this is, please leave this page by pressing the cross. So now your website has been thoroughly set up and secured by iThemes Security. If you press on this little button up here, you will see a little bit of messages when iThemes want to warn you about something. You can dismiss them pressing the cross and you can review the logs if you see anything interesting to look at.

All right. Very good. You have secured your WordPress installation with iThemes, I’m proud of you! Now that wasn’t so hard was it? So if I helped you out in this video hit that like button so I know we are on the right track. It’s only one of the five you just did, so make sure you watch my video about the “Circle of Five”. If you haven’t watched it yet, you can click it right here. If you have already watched it, then you should definitely watch my other video about WordPress SEO, because your website deserves to be found, and I’m going to help you with it as good as I can. Have a awesome day!