How To Secure Your WordPress Websites with iThemes Security – 2021 Tutorial

Sep 10, 2021 | Security, WordPress plugins

Learn how to secure your WordPress website by using a FREE plugin called iThemes Security. In fact, I use it on all of my and my client websites! 👇🏻👇🏻👇🏻 Start here 👇🏻👇🏻👇🏻

Do you want to support my channel? Leave a like or buy Divi / Elementor Pro with 10% discount via the link below. That will help me enormously to create these free videos for you and keep going!

⇒ Software that I recommend:
Divi with 10% discount
Elementor Pro
SiteGround 70% discount 
WP Rocket 10% discount

I want you to succeed with your website, so lets get started.

0:00 Intro
0:25 Installing iThemes
0:50 Setting up the plugin
14:53 Advanced settings
19:35 Important things to do
20:16 Setting up two factor authentication

✅For tips and tricks on getting the most out of Divi and WordPress, don’t forget to subscribe:

How To Secure Your WordPress Websites with iThemes Security – 2021 Tutorial


Hey guys what’s up? You don’t want to get hacked, so let’s get started by securing your WordPress website.

And in this video we will be securing my latest website which you can see in this tutorial which shows you how to exactly create this awesome website. So be sure to check that out.

So first we go to login to the dashboard, and then you go to ‘Plugins’ -> ‘Add new’. Because the only plugin we will need is this one: “iThemes Security”, just press Enter. And this is a completely free plugin. They have a pro version but for now the free version is perfect. press ‘Install Now’ and then we press ‘Activate’. Now our plugin has been activated. So the first thing we’re going to do is we’re going to press this ‘settings’ button right there. Do you have a webshop? You have a Network website with a forum for example? Do you have a nonprofit website with donations? Do you have a blog with a lot of interactions with comments? Do you have a portfolio just with a lot of pictures for example, or do you have a brochure website: a simple website to promote your business. Well choose the one that fits you. Why? Well, because there are different features going to be enabled if you choose a different one. Because for eCommerce we need different security settings than for a brochure. We are now going to use the brochure website: simple website to promote your business. We are setting the website up for ourself. And yes, I want to enforce a password policy. Why is this? Well, the entire security of your website could be compromised with just a weak password. So guys, this is really important. Use a strong password. Press ‘Next’. The next step is enabling two factor authentication. This is powerful. If you enable this combined with your strong password, then your website is pretty much unhackable through the front gate. So if you enable this – let’s push on this button- then you need a app on your mobile phone or a text message or anything else that will prevent users from logging in without using a second authentication factor. This is great. So we’re going to enable this and we’re going to press ‘Next’. You want to keep this enabled. This is just when people try to login they have guessed your username right and they trying to login by guessing your password. Well, it’s pretty hard if you don’t have your mobile phone with authentication, it’s pretty much impossible. But if they’re trying to do so they will be locked out when they try five or six times. Also network brute force protection is all IP addresses will be scanned throughout a database so they know exactly who to block and who not. So press ‘Next’ on this one. And if you want a security check pro just when I said, enable this one because this is a powerful feature. Press ‘Next’. Now this is useful if you have different authors on your website. If you’re the only one, just press ‘Default’. If you are the only one using your website, you can press ‘Skip user groups’. If you’re not the only one and you have multiple people work on your website. You can actually configure this per user. So let’s say you’re the administrator and you have a couple of editors or authors and you don’t want the editors and the authors to change the iThemes Security settings. So you can disable the global settings in a security dashboard for that group of people. It is very very useful. We don’t have different user groups on this website. So you can press ‘Skip user groups’. If you don’t have any other people who are going to your website, press ‘Recommended configure site’. This is the place where you can add your IP address to WordPress security so you will be never blocked out of your website. This is very useful. Just press ‘Add my current IP to the authored host list’. For me, this is not going to do anything because I use a VPN so nobody can track what I’m doing and I have security tunnel set up. So this changes for me every day. We’re going to change IP detection to ‘Security check scan (recommend)’ and we’re going to press ‘Next’. We want the network brute force protection so we have to fill out our email address If you want to receive email updates every week -well I don’t- but if you want just enable this one and press ‘Next’. Email notifications are very important, so enter your email address. I only want to that I receive those emails. If you have more administrators on your website, don’t click this box because they will all receive the daily digest and they will receive all the mail’s every single day. We got to disable it because it drives me actually nuts. How many hackers how many bots has been disallowed and blocked from the website. So just select the users you want to receive the emails and press ‘Continue’. This is just an overview of what we have already setup. You cannot change anything here so press ‘Secure site’. And now it says our site has been secured so press ‘Finish’. Good work! Now you go back to ‘Settings’ because there are a couple of things we still need to configure before we are completely secured. So let’s go over all the settings one by one to set up your security once and for all. So the two factor authentication, if you press on the ‘Edit Settings’, you can change the method of how you can secure your login with two factor authentication. You can use all methods of course you can do all except email or select the methods manually. Now you can change that the only one to use the mobile app, email or backup code as well. This is user independent so they all can choose which one they want. If you only want to use mobile apps for your users, then just only select the mobile app for example. Its the most secure way. So we’re going to set this up later on. So just press ‘Save’ right here. Let’s get back to the settings using ‘Features’ right there. Alright, we have the lockouts, this is the way to ban users. Press on ‘Edit settings’. You can change the ban list that will enable banned IPs in server configuration files. There is a limit of 100 IPs. That is more than enough so we can just leave it right there. Local brute force, this is a very powerful feature I always enable this one. Automaticly ban admin user. Because automatic bots will always try to login using the username admin. However, if that’s your username, you need to change it right now. Change your username if you’re unable to change it because there is only one and it is admin and you can’t change your username. Then you just need to add a new user make it a administrator, and use another email or your own email. Just create a new user with a different username because the username admin is the worst username you can ever have on a website! This is the max login attempts per host I change always this to three times so you get three times and then you’re out. The max login attempts per user, I put this on five. And the minutes to remember a bad login, I always change this to 10 minutes, so if you are locked out, after 10 minutes you can try again. Press ‘Save’ and then we go to Network brute force. We have already banned report API’s. We have a API key which is great. Alright, let’s get back to our features and we were at the lockouts that goes to site check. This is a powerful feature that lets you constantly monitor the file changes on your website. Because when hackers infiltrate your system, they are going to change different files in your WordPress installation. And that way they can easily change different scripts to add malicious code to your website, so people download Trojan horses or they get redirected to poker websites, or porn websites, or pill websites (the 3 p’s) and you don’t want that. However, the files change monitor is really thorough. That means every time you update something, you will get an email because files has been changed. Even when the cache has been emptied. You will be notified that certain files has been changed. If you want to enable this one you can just press ‘Enable it’ and then you can press this gear icon, to whitelist certain files and folders. For example: your caching files & folders should be not be included into the file change monitor. For example, if we want that we go to wp-content, we go to cache and then the cache file we will press ‘Select’ so now, /wp-content/cache/ will not be actively monitored. And also with /et-cache/ from Divi. We have to whitelist this one to exclude it. Let’s go any further and also the /uploads/et-temp/. You don’t want that one included. Alright, after you have added this one, press ‘Save’ and now we have a file change monitor setup correctly. Then we go back to features and we were with the site check right, thats all good. Let’s go to utilities enforce SSL. Enforce all connections are made through SSL/TLS. Enable this one! This is important. If you use SSL -and I strongly recommend you do- then enable this one. Your database backups, this one we are going to edit these settings. So now you have everyday backups of your database. However, I am still convinced that your hosting company should do your backups from your files, your emails and your database. But better to be safe than sorry. So if you want this to be emailed to you, then press ‘Schedule database backups’ and use the backup interval…. well, you can do three days between them or you can use seven days. The normal security guys would say: “No you need every single day, you need one backup!” I totally agree, but if your website doesn’t change that much, then maybe you should put it on seven. It’s completely up to you. I prefer to have it saved locally and email it to you, because when you have your email it is disconnected from your WordPress website. So if your website got hacked, you always got backups in your email and not only saved on your hosting. Because when they infiltrate your website, well they are in and they’re going to really screw up your website and your database. Now the number of backups to retain. I think 30 backups is the max that will be great. If you don’t visit your website often or not every once in a month, than I should suggest you change this to 360. So you have backups the entire year of your database, which is very important. This is all good. So let’s press ‘Save’. And then we go back to features and utilities. And we were at the database backups. Thats allright and the security check Pro is enabled, so that’s awesome. All right. Then we go to the next step: ‘User groups’. Well, I’ve already explained this. If you’re the only one just leave it like this. If you have multiple people on your website, you can change this. That is really useful. Let’s go to ‘Configure’. The global settings – allow iThemes Security to write to your files, this is important because or else you have to do to changes manually, and that is a bit of a hassle. Alright, 15 minutes to lockout; I would say what changes to 10 minutes and how many days will a lockout will be remembered? I think this is perfect. Ban repeat offender – of course if you are three times banned in a row, you get banned permanently. This is great just keep it on three, this is awewomse. The lockout message is just a error: “You’ve been locked out due to too many invalid login attempts.” You can change this of course to anything you want. “Your IP address has been flagged as a threat…” I would suggest you remove the iThemes Security Network, as that is a security risk because now they know which plugin you are using for your security. So remove that one. Authorized host, we have already enabled that this is your own IP address. Dtabase logs, you can see whatever happens on your website you can change this to: File only, Database only or both. I would suggest to use database only. IP detection, we already did that. The security menu in the admin bar, they’re talking about this little thing. And it is useful when something happened that you want to know but it’s also pretty annoying that with every new feature you get a message right up there and it is a bit of well it’s just what you prefer. I would suggest you press ‘Hide security menu’ press ‘Save’ and then we go to ‘Login security’ right there. And then actually the login security we already have done this. Lockouts, we’ve already done this. Site check, we’ve already done it and the utilities, we have already done that so it is pretty awesome. Let’s go to notifications. In the notifications you will see… lets press on ‘Security digest’. If this is enabled, you will get every single day a email with what is happening to your website. In the beginning it’s interesting, after a week you are saying “STOP EMAILING!” so I would suggest you just disable this one, and press the ‘Save all’. Site lockout notifications – that is really annoying to see all those bots trying to get into your website and getting all those emails. If you want to receive them, keep it enabled, it is your choice. Database Backup. Where does it will be sent to? It will be sent automaticly to the email of the website owner. That is in this case If you don’t want to use this email address change it to another one. Let’s go do ‘File change’, here you get emails when your files has been changed. You can enable this one. Let’s go to two factor email. Here you can change what the email is when you want to use the two factor authentication with a email. And this is the mail that’s been sent to you: “Hi [and then your name] click the bottom to continue or manually enter this code below to finish logging in.” You can customize this email, choose whatever you want. I think this is a good email. So we’ll just leave it right there. Yes, the two factor email confirmation. This is very important if you want to use it for your email because this is the setup for the two factor. I don’t know why they have this where you can disable it, but I think this is pretty useful email so just leave it in right there. Alright, that was all the normal settings let’s go to the ‘Advanced settings’ right here. At the advanced we have some important tweaks to be made to your WordPress installation. For example, the system tweaks. You want to have these system files protected. You want to disable directory browsing -this is amazing, important stuff. Disable PHP executed in uploads, in plugins, in themes. You can read all about it what it does on this site. I don’t need to read it out loud because you guys know. If you go to WordPress tweaks then this is a important one that you sometimes want to change. Disable file editor. This means if you go to ‘Appearance’, now the ‘Theme editor’ has been removed from this menu. If you ever needed because you need to add some custom snippets or anything, you have to go into ‘Advanced’ -> ‘WordPress Tweaks’. and disabled the checkmark. And now if you press ‘Save’ and we reload this page, now we go to appearance. And now we have the ‘Teme editor’ back in its place, as you can see. Know where it is, remind it, because you will not find it anywhere if this is enabled. It’s a powerful feature. So you should leave this on. Right, the API Access – XML RPC: well I would say you disable this one. Because this is the most common way how hackers find your username and try to login automatically using different bots. However, there is a drawback to this. Some plugins won’t work when the system is turned off. For example, the Jetpack plugin (I never use it because I think it’s bloated with all kinds of stuff you never need in your website), and there are some different other apps. If you want to use your mobile app to change your WordPress website using your mobile… in all my years of website building I never actually use the XML RPC function because well, I just don’t use it. So this is great. Just use disabled now there is another one. The REST API is a bit tricky. Because if you use software for example, to manage your finances, this could cause problems. Well, they are keeping trying to add your orders to their back office anything, so leave it on default access if you are using that kind of systems that are using your website. Or press restrict access. If you don’t know what I’m talking about. And you think like “Well, there’s nothing integrated with my website so…” press ‘Restricted access’ its the most safest way. But if you encounter problems in the future this is a function you first want to turn on again and also the XML RPC. Users, they can login with their email address and username or only the email address or username. It’s completely up to you. ‘Force a unique nickname’ that will be very useful and ‘Disable extra user archives’. I always turn this on because it is so annoying when you have different users on your website or your own, and you have no posts at all. And they can actually get the page where it says the author page of you when you have no posts it is not logical. So we’re going to disable this and we press ‘Save’. And then the last advanced feature that I completely like and I enjoy is the ‘Hide backend feature’. It is unique to iThemes Security, other plugins don’t have this. So we press ‘Hide backend’. We’re going to change the login slug. Because /wp-admin/ is the most common way to log into a WordPress website. Everybody knows that in the world, even hackers. So you want to change this to something else. We’re going to change this to well, let’s say wordpress-login-secure-page. For example. It is enormous long, and if someone can guess this, then I would be impressed. Just change this to anything you would like but never forget it because if you forget it, you cannot log into your WordPress website anymore. Unless you change this again, by disabling iThemes Security using your FTP program. If you don’t know what I’m talking about, then write this down, mail it to yourself or whatever. Because if you forget it, you cannot enter your website again except by changing some other things. So just copy this and save it in a safe secure place. Alright, then we need to enable the redirection so people will be get redirected to a page. I used to use a page like not a chance dude. And then I create a different page where people see this and they’re like, “Oh, this guy has actually secured his website well done”. When you have done all this then press ‘save’. And now we have completed all our settings with iThemes Security. However, there are a few things you still have to do: Always check your updates: ‘Dashboard’ -> ‘Updates’. Your WordPress website has to be completely up to date. If you see this current version, latest version, all plugins up to date, all themes are up to date. That is awesome! Good job! Then trying to hack you using this way is pretty much impossible. Always keep that in mind. The security of your website has to do with a couple of things: Password security, two factor authentication, your hosting company, your updated website. Keep it all updated. Make sure you got a good hosting company. If you’re still looking for someone, there’s there is link in the description. Now if I now go to my user and I press ‘Logout’ and now we’re going to set up two factor authentication. So go through your new login URL and just login with your credentials. As you do that, this is what we see: “Set up your two factor”, press ‘Continue’. Use your mobile app press on the arrow right here. And you choose your device. I have a iOS then you open your authenticator app, I always use the Google Authenticator app because I use it with a lot of services from Google and for other websites, for my hosting and for everything. And then you go to scan this QR code with your mobile phone. When you scanned it, you will receive a code. So press ‘Continue’. Now we have to enter this authentication code. Be quick. Because this one refreshes every 30 seconds. Press ‘Verify’. And now we are enabled. This is great! Our mobile app two factor authentication has been enabled. Now you can press ‘Skip’, and now when I want to try to login I have to enter my authentication code. So this is where you get your app with all the codes on your mobile phone. And we’re just going to enter the code which is on my phone and press authenticate. When I press this, now I can login easily. So if you ever lose your mobile phone, then you have a little bit of a problem. So you better make a backup of your phone on your computer, so when you lost your phone, you can always place it back on a new phone and then you can log in your website again. Is two factor authentication the best way to secure your WordPress website? Well yes, it is definitely very useful and I would really recommend it to add it to your websites. Because this makes guessing your password and even logging into your website if you have the password pretty much impossible because you always need this little thing to login into your WordPress website. If this was useful for you hit that like button so I know we were on the right track and if you want to know how to create a WordPress website, check this video out because it will really change the way you were building your websites. I wish you a awesome day.