How to Secure your WordPress Webshop with iThemes

Aug 12, 2022 | Security, WooCommerce, WordPress plugins

You don’t want to get hacked, so lets secure your WooCommerce webshop once and for all with iThemes! 👇🏻👇🏻👇🏻 Start here 👇🏻👇🏻👇🏻

Do you want to support my channel? Leave a like or buy Divi / Elementor Pro with 10% discount via the link below. That will help me enormously to create these free videos for you and keep going!

⇒ Software that I recommend:
✅ Google Sheet & WooCommerce Sync ⇒
✅ Divi with 10% discount ⇒
✅ Elementor Pro ⇒
✅ Hosting & Domain provider ⇒
✅ Best caching plugin ⇒

I want you to succeed with your website, so lets get started.

0:00 Intro
0:30 Install iThemes Security
0:52 Setup iThemes Security
6:25 The dashboard

7:40 Securing all settings step by step
8:06 Site Check – File Change
9:00 Site Check – Site Scan Scheduling
9:29 Utilities – Enforce SSL
10:10 Utilities – Database Backups
11:44 Configure – Global Settings
14:10 Configure – Login Security
15:54 Configure – Lockouts – Ban Users
16:29 Configure – Lockouts – Local Brute Force
16:46 Changing your own ADMIN username
17:37 Configure – Lockouts – Network Brute Force
17:45 Notification Center
17:55 Notification Center – Security Digest
18:14 Notification Center – Site Lockouts
18:34 Notification Center – Database Backup
18:40 Other notifications
18:50 Advanced section
18:56 Advanced section – System Tweaks
19:39 Advanced section – WordPress Tweaks
22:18 Advanced section – Hide Backend
23:40 Tools
26:22 Setup two-factor authentication

Thank you for watching! 😀

✅For tips and tricks on getting the most out of WordPress, don’t forget to subscribe:


How to Secure your WordPress Webshop with iThemes


You will sleep so well tonight knowing that your webshop has been completely secured, following all these steps in this video. We’re gonna secure your WordPress webshop right now. Log into your webshop. You might still be using /wp-admin/ which is the worst way to login, because it’s known around the world, so bots can automatically try to log in using only this URL. We’re going to secure and change this in just a minute. So what we need for our WoocCommerce website to be completely safe is we’re going to need a plugin. Press ‘Add new’ and the entirely free plugin we’re going to use is type in “iThemes Security”. We’re going to press ‘install now’. Press ‘activate’. In here you can see the setup button. Uou can press over here ‘Setup’ or you can just go to here and press ‘Settings’. Let’s set up our security step by step. I’m going to guide you through all these settings and explain them to you so you know what’s going on. We’re going to press eCommerce and we’re going to set this up for ourself. Then you want to select your the WordPress roles given to the customers. I don’t have subscribers on this website but you might have, or else just only select customers and press next. Now do you want to secure your customers account with password policy? When they’re creating an account they have to fill in a password. Most passwords are just really lame and easy to guess or to hack. Now the problem with that is, if someone can log into your system with a hacked account, there are more ways to hack you than when they are still outside. So yes, we’re going to enforce a password policy for these users. Press next. Now this is one of my favorite features and one of the best ways to lock hackers out. Two-factor authentication. If we enable this one, no administrator will be allowed to log into your webshop without entering a code from for example your mobile phone. We’re gonna set it up in just a minute. For now we press next. And yes, we want to be secured against local brute force and network brute force. What does it mean? Well the local is just auto bots or things trying to guess login details from your website, and then we can join a network which actually reports all kinds of IP addresses so that you’re already safe before they even try to connect to your website. Press next. With the Security Check Pro – I want this, and then every IP address is trying to reach my server will be checked against the iThemes Security server, if they are okay. Press next. Here you can change user groups with specific security measures. If you just use default, the customers, they cannot manage the iThemes Security  – of course never ever allow this for your customers. They don’t have access to the security dashboard, they need strong password, we will refuse compromise password – it will be checked against a list of leaked passwords – I would say for customers and they actually should be able to skip the two-factor onboarding, because for customers it’s not that important that they really log in using a cell phone, it just causes a bit of irritation and frustration. However for the administratiors coming up, we’re going to enable this. And then we press next. And now we are at the administrators. The administrators should have access, security dashboard, but they cannot skip the two-factor onboarding because it is way too important for the admins. Press next. Then we have the editors. I’ve created a video about all the different user roles you can watch right here which explain to you what the difference is between the admins editor authors contributors and customers if you don’t have any editors on your website then leave this the way it is it is excellent if you do have them don’t enable skip to factor onboarding because it’s important also for editors because they have a lot of rights press next alters exactly the same press next contributors i would say contributors would be allowed to skip the two-factor onboarding and everybody else should be unable to skip it because they’re not important then we press next then we’re going to configure the rest of the settings press recommended then we have authorized host this is your ip address that will never be locked out how many bad attempts you’re trying to log into your own website this is useful to put it on right there so press add my current to the authorized host list like this very important keep it there then we can change the ip detection to security scan check recommended or you can just put it on automatic manual or disable entirely i would say we should keep it on automatic because the security check scan will take a little bit more time before someone can enter your webshop however speed is very important in your webshop if you notice however that you are a lot of attacks then you could change this to securities check scan but for now we’re keeping this on automatic this is the api configuration they need your email address so you can actually make use of their api calls so so we’re just going to add in our email address over there if you want to receive weekly email updates check this box you will get a lot of information about the wordpress world and security it’s interesting but if you don’t like it don’t check this box now this is the notification center you will get a lot of emails and i mean every single day about what’s happening on your website however you have to fill an email address so later on we can turn this off you have to fill in your email address used by your webshop to send out mails make sure it’s the same or else it won’t work and you can actually change the default recipient all admins or only me well i’m going to change this to only me and we’re actually going to change the entire notification center in just a minute because i own more than 10 websites plus all my clients website they’re all configured with i themes i don’t like to receive 60 mils a day from different item security websites press continue then we have the overview is just everything we have just configured just press secure aside and then we just press finish good work your site is more secure than ever we are halfway because now we have to tune some settings even further because there are still some gates wide open first i’m gonna show you the dashboard click on dashboard the first thing we do is actually close this message over here well then you can just change this all around just like a normal dashboard which is excellent what you can see is the banned users whenever you customer tries to log in or some of your clients or whatever they will be over there which is useful to change and give them access again the side scans are over here which is really new because i themes saw that for example on my video when i tried to clean a website’s malware i always use a different plugin for this but i like items better than the other plugins so what did they decided to change the side skin from the pro version and put it into the free version so that’s why it is over there and i’m really happy with it that was one feature that was lacking in itunes but it’s there so that’s amazing here you can see your logouts just some beautiful graphs data over here and your database backups if you want to do that all right let’s just go to settings over there or settings over here and now we can see a different kind of settings because we have advanced settings and we have tools and you have different multiple options we’re going to cover all of them don’t worry it’s going to be very fun so the two factor authentication we enabled this one and if you press on the gear icon you will go to configure so we’re covering it later on go to logouts all these things will be covered in the configure settings then you go to sidecheck you can monitor site for unexpected file changes you can turn this on and then you receive a email every time a file has been changed just keep in mind that woocommerce and your caching plugins and automatic updates will actually generate a lot of changing of files so you will be notified every single time about it to change it will be covered in the configure settings like this then you should add actually excluded files you should go to wp content and then you should for example use the et cache select this one this entire folder and for example if you create a lot of backups you should choose this one and also add them into excluded files and folders and also if you’re using wp rocket or something it should say you have another folder called caching editing over there press save and then you’re fine and then you have the size skin scheduling this is actually a new powerful feature of itunes it protects your site automatically with side scans this will scan your website twice a day it might be a lot so you can actually do it manually once a week or something but i know you will forget it so if you think well this is useful for me just enable this one if you notice that your webshop is very slow at some times disable this one and do it manually go to utilities in my last tutorial i got a lot of questions that yeah i turned this on but i still don’t have the lock in my browser no you only turn this on if you already have this lock in your browser and how do you get it over there you need to go to your hosting company enable ssl for your website get a ssl certificate like the let’s encrypt free ssl and then you can add in enforce ssl so that way also on your server it’s been enforced and also within wordpress everything will be loaded using https which is safer so definitely turn this on security check check pro we already added it and then we have the database backup you can you can go to the settings right now and we can sketch this for example what does this do it will send you a backup from your database and you can do it within one day or you can do it every day or you can do it between after three days again for a webshop your database will change every single day because when a customer adds a new order it’s stored in the database you actually want to have a backup every single day but remember when using this setting it will email to you now a woocommerce database with a lot of products will actually get very big so you will receive emails like 50 mbs or something that could really add up so you should you can also choose to just save them locally and it will be stored in your wp content uploads item security backups folder and you can get them from there using your file browser from your hosting company or with ftps just choose the one you want but remember if you just really turn this off you wish you would have a backup when things go sideways make sure to retain them to for example 30 backups after 30 backups the oldest one will be removed to make plays for the newest one you can also put it on 15 or whatever you want all the tables in your database should be backed up except the items security logs stamp logouts and all these things because it’s not interesting when restoring your entire website let’s press save let’s go to configure the global options of course this needs to be checked or else nothing works 10 minutes to lock out if a customer for example tries to log in and it tries three times in a row like this three times then it will be locked out for 15 minutes you can actually change this to 30 minutes or change it to for example 5 minutes i would say we change it to 30 minutes because that way bots really can’t answer your webshop anymore however if you’ve noticed that a lot of clients are complaining i’ve been locked out and oh i can log in then you should change this to 5 minutes so they can call you and you can say well just wait for five minutes try again i will reset your password or whatever this is how many days a logout should actually be remembered by ithemes i would say seven days is perfectly fine what happens if someone every time he’s being locked out by items well after three times he will be banned they first get a error lockout message and the message should be you have been flanked by our security system you’ve been locked out due to many inverted login attempts please contact our webshop if you run into problems and this one is also very good your ip dress has been flagged as a threat by the item security network well i don’t like the item security network because then they know exactly what kind of plugin i’m using for my security so by as being flagged by a threat dot just contact your webshop if you ran into problems then we have authorized hosts this is my own ip address very important we already added it you can fine tune items security how they’ll be logging everything on your website in your database files or both it’s completely up to you i would suggest you use a file because your database is already under a lot of pressure because of woocommerce so you make sure you need you have to write hosting or else it gets really slow how many days you want the log files to remember well just skip to 180 that is okay here is the path to log files so you can always find them and then the ip detection we already talked about it and then they have the ui tweaks see a high security menu in the admin bar it is this thing over there you actually can hide it because you don’t use it a lot anymore after setting this up so you can just press save and when i now go to next page login security and now actually it is gone from my bar over here alright on the login security you can actually change the two factor authentication you can choose the methods you can use all methods or accept email or just manually and then you can just say well what do you want to do do you want to have backup authentication codes the email or only mobile app i like only the mobile app but your customers might also like sending an email as a confirmation now these setup flows i will disable on first login why would i disable it it’s not safe well you have to remember the first time your customer logs in and want to place another order or see their status you don’t want to bug them with two-factor authentication they only want to check whether where the package is or they just want to place another order so make sure it is on the next time they log in because then they are determined i’m happy with these products i want to have it again and then they actually want to do more effort to set up the two-factor authentication and then you have an onboard welcome text and tweak this text something like you know that hackers try to steal our data every single day when you log in using two-factor authenticator you’ll be prompted to enter secondary authentication code from your phone or email this really really really helps preventing your data from being stolen online and then it’s something more and then you press just save and then actually people understand how this works we’re going to walk through this in just a second then we go to lockouts here are the banned user agents so if someone is banned it will be added into it there so if someone calls you and says i cannot log in on bench then you can actually unbend them over here to just delete them if you also want a default bandlist you can enable this function now you get a list from by jim walker which is very useful because a lot of ip address on that list will be attacking your website automatically but if you notice that a lot of customers cannot enter your website anymore then uncheck this one press save then we go to logo brute force i would definitely say automatically bend the admin user because if someone tries to log in using the word admin that’s definitely about trying to log in or someone trying to be funny but just ban them immediately if your username is actually admin over there then add a new user over here with another email address of yourself and change the username make him an admin login using this username delete your own one and and change the new user to something else than admin so you can log in but not using the admin word then how many times do you want someone to be able to log in well i would say three strikes is out so you can only try it three times per user i would also say five times this means that they have a good username then they can only try it five of them times if they tried within five minutes i would say within 10 minutes then that’s a bad login and then they they will be locked out and eventually be banned and then we have the network brought forth just banned reported ips and then you have your api key which is filled in automatically let’s go to notifications over there now here’s the notification center and actually when you go to default recipients that’s great but when i go to my security digest this is something you should disable or put it on a weekly status because you will get updates every single day about who’s trying to break into your website and who’s trying to log in just disable this entire security digest like this and press save on then we go to site of lockouts here you get a notification when someone has been locked out out of your system it could be useful maybe in your case i don’t like those emails because i get a lot of emails about side lockouts of bus just trying to hack me and i don’t want that so press save it this actually will send a copy of the database to this email address or you can change it to whatever you want this is the notification sent out for the new login url this is the two factor email change your email over here and here’s the config confirmation you can also change it let’s go to the advanced section because there are still some things we need to change for example the file access you want to protect system files and you want to disable directory browsing what this actually does it is protecting your system files to be changed by someone else but they also can’t use readme.txt which is being used to check what kind of version of wordpress you have so that they can see what vulnerabilities are on your wordpress system we also don’t want to pay a php execution in uploads plugin and teams because i’ve seen a lot of times that malicious php files were uploaded into wp content to themes and plugins and upload files and then they can execute it from outside to send spam via your website or just add in seo spam then we go to wordpress tweaks because in here we really have to change something now the file editor is appearance and then you have a file editor over there normally you don’t use it if you ever want to use it you have to uncheck this one and then it will be added back to there but it is a good practice to keep it disabled then you have the api access using xmlrpc that is more of a curse than of a blessing lately what this thing does you can actually connect to the xml rpc and actually do a brute force attacks because you can log into your system when using a web shop you should actually disable this one only if you’re not using for example jetpack or wordpress mobile apps which i both actually don’t use and i don’t like them because it really slows everything’s down and it’s just i don’t like the stuff but also pingbacks are also working throughout this system but if you want to have it enabled then make sure to uncheck this box because this one xmlrpc allows hundreds of username password guesses per request so they can just brute force you in one night but to be sure press disable very important if you notice that some programs cannot connect anymore to your webshop for example your book keeping software for your finance make sure to enable this again and just uncheck this one but for now on this shop i’m going to disable it because it will save a lot of brute force logins then the rest api if you’re not a developer and you’re not developing on your live wordpress website which i don’t think you are just press restricted access so we can actually close that gate also then you can change how users log in do you want them to log in with email address and username only the email address or only the username the email address only is way more secure than the username only because usernames are very easy to leak or to find in a website it’s the most safe way unless you’re using info at to login your website then don’t use it but if you are in doubt you can also use both of them because your customers on your webshop will also use these settings i’m going to change it to email address only then we have to force a unique nickname and we want to disable the extra user archive because when the archive is enabled they can easily fetch all their usernames and use them in brute force attacks then we’re going to press save and then we go to the hide back end feature i really love this feature some experts disagree with me because they say you’ve already changed the brute force login so it’s not necessary but i really like it why because here you can change the wp admin to something completely different and you can just put in anything here you want for example name of your cat or some of my clients have start or something like admin wordpress login like this we’ll just use anything that’s unique and only for your eyes only you can change the register slack to wp signup.php or something completely else and when someone tries to fetch wp admin it will be redirected to this slot which should be not a chance dude remember to save this login url right now because when you press save you will be redirected to this new login are you ready press save and our settings been changed now we also have received a new email now which has new login url the login address for don’t forget to like and subscribe has changed the new login address sw what’s also in your mail because it’s very important that you didn’t forget it all right let’s go to tools over there first of all let’s identify the server ip address if you press run now it will check on the ip address of the server itself so my server is in google cloud and this is the ip address next one if you have a user id of one then we should change it to someone else let’s run it has been updated well done then you go to the database table prefix because 95 of the database table names are well known by hackers because of the wordpress system now before using this tool we strongly recommend creating a backup of your database because when this go wrong your website will be destroyed i’m not kidding it will be destroyed if you don’t know how to create a backup follow this tutorial how to migrate your website and you can use this feature also to create a backup to download it so if any things go wrong you can just put your website back with ease then we go to check file permissions we’re just going to run this so what this actually says is that every every value is all right for all the folders and then they set well wp config and http access is just 644. this is not unsafe but it can just be a little bit safer however if i change this then some of my things won’t work anymore because for example my caching plugin needs the hd axis to change if you see here things like 600 or 777 and these are red then you definitely need to change those things and you can do it within your hosting company go to file manager now you can change your permissions or using ftp if you don’t know what all this is just ask your hosting company and they will help you out let’s go to the server config rules these are just the generated server config rules that are just added into your website you can press run and then it will be added again they already edited so it’s basically never needed but when something go wrong you can add it in here or you can just copy them to use it manually the same is with wp config you can add run but it’s already been added there or you can just copy rules then in wordpress solves changing your wordpress solves is actually not needed however if you have suspicion that your website have been compromised one way in the past then definitely press this run button and then we have the security check pro detects the correct way to identify user ip address based on your server configuration we already did it but if you want to do it just edit again so let’s actually set up the two factor authentication first what you do is you log out from your website remember the url you changed with hiding the back-end then we’re going to log in again and then we get this message set up your to factor and here you can see our own message that we’ve just entered in here press continue and now you can choose using the mobile app or the email disabled doesn’t mean that it’s not working it means that you have not enabled it for yourself so you actually cannot click over here i think items need to fix this because you cannot click over here i want to click on this thing or press here and enable button now i have to click on the arrow over there click on it and then you can use a ios or android and you can actually scan this so on your smartphone you can get any mobile apps you want authenticator the google authenticator the microsoft authenticator whatever you want for this example i’m gonna use the google authenticator i cannot show you right now because i have a lot of customers in here so i just press the plus icon on the corner right and then we press on scan qr code and then you see this which you can use to actually scan this qr code i’m going to scan it right now and it’s been added instantly what you see is actually this don’t forget to like and subscribe because that’s the name of my website right now but we’ve added it all right when you’ve added it to yours to your mobile phone you press continue over there and then you have to fill in the authentication code in my case it’s seven three five nine four five right now and we press verify and now it has been enabled and then we can also enable our email press enable and now it has been enabled and we press continue now it is set up and we are ready to go press complete however what i don’t like is that you have to use mobile app and email so we’re going to security settings over there and we just go through this option and then you can also disable email or just enabled the only thing we just covered is the alerts if you click on here you will get security admin messages the only thing i read here is this new features and they release every other week they release new updates so they’re coming into they’re really not that interesting if you have questions or you just want to say hey thank you math drop them down in the comments and i will be glad to answer all of your questions and reply if i helped you out hit that like button and subscribe if you want to see more videos about woocommerce divi or other wordpress related topics i’ll see you in the next video have a awesome day and sleep well tonight knowing that your webshop is completely secured