Secure Your WordPress Website Step by Step | iThemes Tutorial 2023

Mar 9, 2023 | Security

Learn how to secure your WordPress website by using a FREE plugin called iThemes Security. In fact, I use it on all of my and my client websites! In this tutorial we go step by step so you can follow along!

👇🏻👇🏻👇🏻 Start here 👇🏻👇🏻👇🏻

Do you want to support my channel? Leave a like or buy Divi / Elementor Pro with 10% discount via the link below. That will help me enormously to create these free videos for you and keep going!

⇒ Software that I recommend:

✅ Divi 10% discount ⇒
✅ Elementor Pro ⇒…
✅ SiteGround 70% discount ⇒
✅ WP Rocket 10% discount ⇒

I want you to succeed with your website, so lets get started.


0:00 Intro
0:49 Install the free iThemes plugin
1:23 Walking through the setup
7:14 The security dashboard
7:42 Setting it up thoroughly
17:07 Advanced settings
20:18 Tools settings
22:42 Configure two-factor authentication
24:46 Fix being locked out by iThemes

✅For tips and tricks on getting the most out of WordPress and Divi, don’t forget to subscribe:

Secure Your WordPress Website Step by Step | iThemes Tutorial 2023


You really don’t want to get hacked, so in this video I’m gonna show you step by step how to completely secure your WordPress website, once and for all. Let me show you what we’ll be covering in this tutorial.

I’ll show you how to set up maximum login attempts. How to hide your entire WordPress back-end. How to set up two-factor authentication. How to regain access to your website if you have locked out yourself. How to set up the notification center. How to close all the gates on your WordPress website. And of course, how to force your users to use strong passwords and two-factor authentication. Let’s go secure your website right now.

Log into your WordPress admin. On your admin page you go to ‘Plugins’ -> ‘Add new’ and we’re going to type in “iThemes” and here you can find iThemes Security. It has more than one million active installations, because it is just a really good plugin to secure your website. And: it is completely free! We press on ‘Install now’ and then we press on ‘Activate’. Well done. What you will notice is a new menu over there, and on your left side you have here a new menu. The first thing we do; we’re gonna click on ‘Settings’ over here. And then we are at the setup. Let me walk you through it right now. We’re gonna choose the type of website that suits you. If you have a webshop, an e-commerce website, please follow this tutorial and I will show you step by step how to configure your webshop. Because it is quite different than the other ones. If you have a ‘Network website’ a ‘Non-profit’, ‘Blog’ ‘Portfolio’ or ‘Brochure’. This website is created for apartments. So I will say, this website is all about a brochure. A simple website to promote your own business. Enable Security check Pro. We’re gonna need it later on. Press ‘Next’. Who are you setting the website up? Well in this case it is my own personal website. Click on it. Do you want to secure your user accounts with password policy? I would say ‘yes’! Because the weakest link in your security, is most of the time the passwords. If you enforce people to use a strong password, it can take a lot of time to crack those safe passwords. Press ‘Next’. Then what do we want to do, we want to have local Brute Force. Yes. We want to have Security Check Pro. Of course. We want to also enable two-factor authentication. We want to have the Network Brute Force, we can scan our website automatically. Let’s enable that also. The downside of this is if you are on cheap shared hosting, you might encounter some problems with performance. Keep that in mind for this feature. And we press ‘Next’. We go to ‘Login security’. Two factor authentication? Yes enable this. This is one of the most powerful ways to protect your website from unauthorized logins. Press ‘Next’. We want to have local brute force, and we also want to have Network Brute Force. Yes enable them both, press ‘Next’. The Site Check, press ‘Next’ and Security Check. Alright press ‘Next’. Well done. Next one is the ‘User groups’. In this case we can use the default groups. And then we can of course configure them per group. On the left side are all the user groups we will be covering in this tutorial. If you don’t know the different user groups or the different roles,
then follow this video of mine. It’s short but I will explain you in detail what all these roles and capabilities mean in WordPress. Very useful. So the settings of the administrators who can do everything on your website, should be like this. They can manage iThemes Security, because it’s basically you. They can create dashboards, but they have to get a strong password, and they cannot use compromised passwords. Also they cannot skip the two-factor onboarding, because this is the most important thing regarding to logins. And ‘Application password’: If you are a developer and you’re working with API’s and creating apps for your WordPress website, keep this enabled. If not, disable this one, because we don’t need it if you’re not a developer.
Then we go to ‘Next’ and then we have the Editors. Well the Editor should not manage iThemes Security. They should not be able to create a dashboard, but they have to use strong password. Refuse compromised password. Skip the two-factor onboarding is disabled for this group, and they should not have application passwords, unless they are developers. Press ‘Next’. With Authors I would also refuse application password, unless they’re developers. Press ‘Next’. Then we have the Contributors. They don’t need the application password but they can also skip the two-factor onboarding if it’s on my website. Because contributors are not that big of security risk as they cannot do as much on their website as the other roles. Press ‘Next’. Subscribers are just normal subscribers to your website, if they want to download stuff or they want to respond on your website you might have added this feature. If you don’t have subscribers just press ‘Next’. For subscribers it might be important to skip two-factor onboarding. Because if your website is not a website where they come every single week they might want to log in leave a comment or anything, and every time using two-factor authentication, It’s a bit of a hassle. So the subscribers don’t have a lot of rights on your website so they can just skip it, and I don’t think they use application passwords. Press ‘Next’. And everybody else could not use application passwords. And then we press ‘Next’. Then we press on this one. In this box you can whitelist your own IP address, so that you will never be locked out from your own website. Which is sometimes really important. Click on ‘Add my current IP to the authorized hosts list ‘. Leave the IP detection on this one and press ‘Next’.

Of course we want a network Brute Force connection. Fill in your email address and just press ‘Next’. This is the notification center we’ll be tweaking this later on, but what you need to do here is fill in your own email address from your current domain. Very important or else your emails won’t get sent by iThemes Security, and you don’t know what’s going on. Now if you have more administrators on your website, then you might want to do them a favor by only selecting your own user. This way you only get reports and not all the other admins on your website. Then we press ‘Continue’. Now this is the overview what we have just done. We have seen all these features, configure settings. it’s everything we have done. Just press ‘Secure site’. And now iThemes will secure our WordPress website. Well done! Everything’s completed, now we press ‘Finish’. Okay the first thing now we do is we click on ‘Dashboard’ over there.
Here you can see the dashboard of
iThemes Security. What can we do over here? Of course we can just drag and drop all the things. Here you can see everything that’s going on on my website. This dashboard will fill itself with; when you have site scans, when you have Brute Force attacks, lockouts, bans overview, you can see everything in here. You can close this banner over there. Now let’s click on ‘Settings’ over here because we need to configure a lot more things. We’re gonna walk through all these settings again and also the Advanced, and the Tools because now we have way more things to configure to really close those gates on these hackers on your WordPress website. ‘Enable enforce SSL’ this is a really important one. All these things are really great. So let’s go to the next one ‘Login security’ over there. Or you can click it over here. We’ll be configuring this when we’re walking through all these things, so you don’t have to press on the gear icon or else you will go to ‘Configure’. Now here you could turn them on or off, but if you click on the security settings we will go to configure, so we’ll be covering this in just a minute. The Site Check, let’s enable the File Change. We gonna configure this in just a minute, which is very important or else you will get spammed every single day, with changes of files on your WordPress website. Then we go to ‘Utilities’ over there. We have already created this one. Enforce SSL, this is all good. User groups, we already configured all these things so these are just great, leave them as it is. Let’s go to ‘Configure’
over there. The lockouts are all good 15 minutes that’s great. 7 days to remember it, is even excellent. Ban Threshold: after three times you have been locked out you will be banned permanently and you can never access your website again. Which is very good, just keep it on three, that’s great. Then we have ‘Lockout messages’. When a computer has been locked out, that’s what I see: “Error you’ve been locked out due to too many invalid login attempts”. Let’s change this to: “You a bad man!” I would say from this message, just remove the iThemes Security Network. So; “Your IP address has been flagged as a threat. You a bad man!” Then the authorized host is of course your current IP address, let’s add it to the list and keep it there. If you’re really interested in what’s going on on your website, you can choose to log everything that happens in your database, in your files only, or both. I would suggest to keep it in your database only. And yes, your database will grow which is not always a good thing, but in this case you can actually control how long the database logs will be kept there. The last option is very interesting

‘Hide Security Menu in admin bar’. They mean this little thing over here, this Security Admin Messages. Most of the time these messages are only about buying iThemes Security Pro, so they’re upselling you. I don’t think it’s necessary in this case, on this website, I would suggest you hide the security admin bar over there. I really like a clean interface. I press ‘Save’ over here. Then we go to the left side, to go ‘Login security’. Click on it. Then we have the two-factor authentication over here. If you want to have control over this, click on this one, and select methods manually. Here you can choose for example ‘I only want people to use a mobile app’ or only the email for example. On this website we’re going to use all methods for everybody. Here you can choose to disable the two-factor authentication on their first login. I would not advise you to do so. Press ‘Save’. Let’s go to lockouts. Enable the default ban list, including the banlist. On this way you can block bots before they actually reach your website. Really useful, just keep it on. This number shows the IP’s blocked by iThemes in .htaccess and nginx.conf. If you’re just a regular user like me, keep it 100 that’s okay. All right then we go up here to ‘Local Brute Force’. Now the first option is a really neat option, I love to enable this one. You should never ever have a user on your website called ‘Admin’. That is the most used username to hack a website, and it comes with default with WordPress. And that’s fine if you change it. If you don’t change it, automatically ban them immediately. If you’re still logging in using a username ‘Admin’. That’s a big no-go! Go to ‘Users’ press ‘Add new’ over there and then you’re going to add yourself as a administrator over there. Then you’re gonna add the new user. Login using this user, and then at ‘All users’ you will delete your original username which is called ‘Admin’. Please do so right now, before we go any further. So then we have the ‘max login attempts per host’ or per computer or per device. I would say change this to three numbers, and then they can switch to another computer, and try to hack you with the other computer. For that we have this one: ‘Max login attempts per username’. So the username should be I guess put it on five, after five tries of one user, you get locked out and then you have to wait 15 minutes. So five login attempts per user within five minutes, will make you get you a ban. Hackers know of course this standard configuration, so we’re gonna change this five minute interval to 15 minutes to remember a bad login. Just press save. Then we go to ‘Network brute force’ over there. It’s already configured, so that’s okay. Let’s go to ‘Sitecheck’. Over here. Here we need to exclude a lot of files. You need to exclude of course your caching. So you go to wp-content and here we have for example ‘All in 1 backups’. If you create automatic backups, you need to add this folder to your excluded files and folders. Really important or else you’ll get constantly mailes about changing files, that are just false alarms and no malicious files. This is the caching system of Elegant Themes, et-caching. If you use Divi select this one and press this one. Then you scroll down a bit you might see also that you have in here a folder called ‘cache’. I’m gonna install WP-Rocket on this website in the next tutorial, so it’s not yet there. Or else you will see here a folder called caching. You need to put caching on that side. If you have more caching folders over here, put them also in the excluded files and folders, or else you will be bombarded with emails. Then we press ‘Save’. Then we go on the left side to ‘Utilities’ over here.

Then we have database backups. Now database backups are really important. So your hosting company should make backups of your files, your database, and your email. Go log into your hosting company, and check if they are really making backups every single night. When things really go wrong, backups are the most easiest way to restore everything. If they don’t make backups – you have to switch hosting – but if you want to be absolutely sure, then enable this scheduled database backup. And then you can change the interval so every three days they will make a backup and send it to your email. Now you can send it to your email only, but you can also make it safe locally on your website. There are pros and cons, if you email it only to yourself then your backup is actually moved from out of your website environment that’s great. And in this section you can actually exclude more database tables from your backup to save a little bit a little bit of space. The default setting is really great, so leave it just as it is. Just keep in mind emailing your entire database, could add up a little bit in space in your mailbox. Press ‘Save’ over here. And then we go to ‘Notifications’ over here. We’ve already set this up so, this is great. Let’s go to the ‘Security digest’. Click over there. The security digest is actually sending you every single day a email what is going on on your website. How many lockouts, how many bad login attempts, how many bans… After a week or two you really get sick and tired of these emails. So I would suggest to go to a weekly email,
or if you’re not interested at all because your website is entirely safe, and you don’t want to see how many lockouts. Just press on this one, and then it’s completely disabled. Then you can go to site lockouts. Now you can get a email to notify you when a user or host is locked out of your website. Trust me, this will happen a lot more than you actually think. So I would say just disable this email notification. Then we go to ‘Database backups’. Here you can specify a email address where your database backup will be mailed to. Let’s go to ‘File change’. If you want to receive a email after each time the scan runs and emails you a report if change has been detected, keep this on. Then this subject I will change it a little bit to… so that you actually know it is quite important, and some files has been changed on your website. And then we go to ‘Site scan results’. When it discovers an issue on your website, you will receive email, just keep it like this. Then your two-factor email, now this is the email people receive when choosing the two-factor authentication method from email. You can translate it if you have another language than English, and it’s not in here, you can translate it for people if you want. if not just keep it like this,
works great. Then we go to the two-factor email confirmation. Which is actually exactly the same, translated if you want if not just keep it like this. We are almost done however don’t skip these steps, because now we’re going to tune the Advanced Settings, and the Tools, to make it even more secure from hackers on your website. Click on ‘Advanced’ over here. Just make sure all these things are enabled. Let’s go to the WordPress tweaks over there. Now there are some important things we need to change over here. You can enable and disable it with this. It just adds some security layer. Not much, but if if you’re never ever using this, keep it on disabled. Now this is really important, most hacks are being executed by an API call. We need to disable the access to XML RPC. If you’re not using for example the hideous Jetpack plugin, some WordPress mobile apps to make blogs on the go, and even pingbacks on your blogs, then you should really disable this XML RPC. Even if you don’t know what I’m talking about but you’re not using apps to create your website, disable it. Really important it will save you a lot of time. Now then we go to the rest API. Now if you’re not using API’s you’re not a developer, and you don’t know what I’m talking about, make sure to restrict your access to the rest API, because simply you don’t need it, and it is a big security risk. If we now scroll down you can choose if users can log in with their email address and username, or just one of both. If it makes you feel safe, you can use email address only. Because email addresses are not easily to find when scanning a WordPress installation from the outside. You can force a unique nickname, always useful. And this one is very important, disable extra user archives. And now we go to ‘Hide backend’ over here. This is a really powerful feature to hide the backend, which I always use, and I always like it. Just enable this one. And what you now will do is you change your login slug to something completely different than wp-admin or wp-login. What we need to do is you need to create something that only you can remember, but make sure to remember it because I get a lot of comments in my other videos, about “I cannot log in anymore” “I am locked out” “I changed my URL and now I can’t log in again”… Make sure to actually save this. Somewhere safe, and only you know. Let’s change it to “login-admin-safe” or I’ve seen people using just a simple “start” “log-me-in-safe” “i-want-to login”. Let’s go with I want to login over there. The register slug, you can also change it this one. However if you just disable users from registering on your website, you don’t need to change this. When someone tries to log in using wp-admin, redirect them to another page which is actually really fun. I would redirect them to a page called “you-bad-man”. And then we have a custom login action, if you’re not a developer you might not want to use it. Press ‘Save’ over here. Well done, we are almost done, the last thing we do is we go to ‘Tools’ over here. What we need to do here, is we need to identify our server IP address. Which is important to have for iThemes. Just click ‘Run’ here it goes. All right. ‘Change the database table prefix’. That is not necessary if you have a good hosting company, wich automatically change the database prefixes. If you want to do this, I know my databases have a prefix which is already random, so that’s great. If you don’t know that for sure, you can press on ‘Run’, but before you do that, hold on, make sure “We strongly recommend creating a backup of the database”. Because if something goes wrong your entire website will be broken. Then we go to the Encryption Key. Here you can re-encrypt the encryptions keys. If you want to do this click on ‘Confirm reset key’ and press ‘Run’ over there. Check your file permissions press run and this will create a list of things we have to change.
Now these are my files on my server,m and as you can see that it gives a warning to WP config and .htaccess and why? The current value is 644. Which means: the server can write to it, and then 44 means other people can only read it, and not change it. Which is actually a good value for these two files, as I have certain applications and plugins that need to write to the wp-config file and .htaccess file. As long as these values are okay and they’re not red as in ‘Critical’ you should be fine. If you ever see one red thing and it says critical, follow this tutorial I have with FTP, and I’ll show you how to change your file permissions running smoothly with FTP. Its free and it’s totally easy to do. After this we press ‘Server config rules’

hhere you can see everything iThemes
have been created, which is great. Just keep it in there, don’t press on run. You can do it but it’s okay. Then wp-config we have these things, these are great. Change to salts. You could do this but only if your website suspect your site has been compromised. This will force all users to log in again. And then of course we have the security check Pro. And just press on ‘Run’ over here. Yes we have remote IP entries to protect everything, so as redirected as recommended, so we’re all good! Before you go: one more thing we absolutely need to do. We need to configure our two-factor authentication. Tnd this is how it works. Don’t forget to copy your login slug, because you’re gonna need it. Press copy. And now you just press log out from your website, over there. Then just reload your website front page. And try to go to wp-admin. So as my cookies are still enabled, I can log in using wp-admin yet, but tomorrow this will be reset and then it’s not anymore possible. So login with your username and your email address, like this. And then we just press ‘Log In’. And this is the thing we see: Set up your two-factor authentication. We press ‘Continue’. Then we can choose what do we want to do. Mobile app, email, backup codes… Still this is a bit confusing, because you think it’s disabled I can’t use it. No. You can use it if you click on this icon, over there. I want to use a mobile app so I’m going to click on this arrow. And we need to use one of the authentication apps on our mobile device. So choose what you have iOS or Android. Then just pick your authenticator. Like authenticator from Google or the Microsoft, whatever you want to use. So on our mobile phone we just press on this plus icon over there. And then we need to scan our QR code. You can see my website from alphabet and the username from the website. When you have that on your app you can press ‘Continue’ over here. We need to fill in the authentication code from the app. And then you press ‘Verify’. Now we can see that the mobile app has been enabled. Right there. Now we also need to configure the email. Press on ‘Enable’. And once you have email and mobile app you can press ‘Continue’. And now our two factor is all set up and ready to go. Press ‘Complete’. Now the next time you log in, you will be prompted for a username a password and a authentication code. Fill them all in press log in, and then, that’s the only way you can log into your WordPress website. On my other videos a lot of people asked me: “What should I do when I’ve locked out myself from my own website? I can’t log in again” or “The slug has been changed, it doesn’t work! What do I do?” It’s really easy to fix that, and I’m gonna show you right now. The only thing you need is access to your files, on your server. If you have no clue how to do this, follow this tutorial and I’ll show you exactly from all kind of different hosting companies how to set up FTP completely free. Log into your website and enable you to edit your files. The most easiest way however is just to go to your hosting company, and go to a file manager like this.
I’m at Siteground, so the file manager is just right there, it’s really easy. Click on it. We need to go to the public-html, you can do this with the FTP program, or just with the file manager, works exactly the same. As long as you see this: wp-admin, wp-content… then you are in the right place. We go to wp-content. Then we go to plugins over there. Then you go to better-wp-security and you’re going to change this name. Rress ‘Rename’. Change this to (broken) for example. Press ‘confirm’. Now you go back to your WordPress website. And now you notice that you can just log in again using /wp-admin/. You don’t have the two-factor authentication so it is just reset, like it has never been installed before. What do we do right now? We’re going to login with our credentials. When you have are inside and logged in,

you go to ‘Installed plugins’ over here. And you can see iThemes Security has been disabled due to an error – plugin file does not exist. What do we do right now? Don’t press anything, go back to the file manager. And in the file manager we go back to the (broken), select it, and rename it again back to normal. So delete what you have changed. Press ‘Confirm’. There you go. Now it’s back to normal. All right. Then you refresh this page in WordPress just press F5 on your keyboard, the error is gone and you can activate it again. Now press ‘Activate’ over here. Then you go to ‘Security’ and you go to ‘Dashboard’ over here. On your dashboard you can see – sometimes you have to scroll down – you can see Banned users over there. And if you can see your own IP address here, you can just click on it and delete it, so you have been unbanned and you can log in again. No problem there, works like a charm. If you don’t remember your url login just go back to your settings, go to your Advanced, and then we go to ‘Hide backend’ in here ,and then you can change your login slug to whatever you want. If you have any questions or you just want to say “Thank you Matt!” drop it down in the comments, I really appreciate it, and I always reply. If you want to see more WordPress related videos you can subscribe over there, and also check out this video! Which is really safe. completely safe to watch!