![\"\"](\"https:\/\/i0.wp.com\/www.johnthornhill.com\/blog\/wp-content\/uploads\/2020\/05\/john-salvino-bqGBbLq_yfc-unsplash.jpg?resize=200%2C300&ssl=1\")
<\/p>\nWordPress is a very popular website creation tool. It can be used to create anything from a simple blog to a full-blown e-commerce site. <\/p>\n
Because of that, it is the most dominant CMS (Content Management System) on the market. According to a survey, 35% of all websites (62% of CMS websites) – or around 455,000,000 websites are using WordPress.<\/p>\n
This is great for you, it means that there is a lot of support and plenty of plugins (addons) available – often free.<\/p>\n
At the same time, it could be a problem for you. It is the most attacked type of system on the web. Anybody using WordPress must use a security plugin.<\/p>\n
The one that I use – and have been using for a number of years on sites that I have built – is iThemes Security<\/a> previously known as Better WordPress Security. According to the Bloggers Roadmap<\/a>, “iThemes Security is the best overall security plugin you can find”. Although there is a paid version, the free version does an excellent job.<\/p>\n In this post, I will take you through the options and configurations of the free version.<\/p>\n The first thing you should do after installing and activating the plugin is to run the security check.<\/p>\n This will enable and initially configure:-<\/strong> You then have basic protection – from a single click of a button.<\/p>\n Now it’s time to visit the various modules to really tighten thing up by checking (and possibly changing) the following configurations<\/p>\n Global Settings<\/strong><\/p>\n The configuration that I use is as follows: The three lockout messages can be left as standard, or you can enter your own.<\/p>\n Enable Blacklist Repeat Offender – people who fail blacklist checks several times are automatically added to the banned list. I use these thresholds: Permanently Ban after 3 lockouts within 21 days, Lockout Period 15 minutes (before they can retry).<\/p>\n Lockout Whitelist: Enter\u00a0Your own IP address – done automatically if you click the button.\u00a0 This is very important – it means that you cannot accidentally be blacklisted from your own site.<\/p>\n You may need to update this periodically if your internet provider changes your address – I am on a cable service and have had the same IP address for a few years.<\/p>\n Notification Center<\/strong> User Groups<\/strong> 404 Detection<\/strong> Away mode<\/strong> Banned users<\/strong> If you need help with this, ask via comments and I will add a short explanatory post<\/p>\n Database Backups<\/strong><\/p>\n Configure your backups. I use the following: File Change Detection<\/strong> File Permissions<\/strong> Assuming a Linux host (the most common) each file or folder has 3 sets of permissions: These permissions are represented as 3 numbers in the order owner, group member, anyone else.<\/p>\n The numbers have the following meaning. Local Brute Force Protection<\/strong> I set Max Login Attempts Per Host and Max Login Attempts Per User to 5 Network Brute Force Protection<\/strong> Password Requirements<\/strong> SSL<\/strong> System Tweaks<\/strong><\/p>\n More advanced settings. I recommended WordPress Salts<\/strong> WordPress Tweaks<\/strong><\/p>\n I enable the following: Once this is done your WordPress site will be quite strongly protected.<\/p>\n Let me know if this post was helpful. Your comments or corrections are always welcome.<\/p>\n If you would like to see my progress from internet nerd to internet marketer visit thegotomarketer.net<\/a><\/p>\n
\n– Banned Users
\n– Database Backups
\n– Local Brute Force Protection
\n– Network Brute Force Protection
\n– Strong Passwords
\n– WordPress Tweaks<\/p>\n
\nAllow iThemes Security to write to wp-config.php and .htaccess – this will ensure that your security settings are always properly updated.<\/p>\n
\nHere you can configure notification of security warnings<\/p>\n
\nCan be left at the defaults<\/p>\n
\nThis catches people looking for files to exploit. 404 (not found) errors are shown when a requested file is not found on your system. I set ‘Remember 404 Error’ to 15 minutes and ‘Error Threshold’ to 5. I leave the ‘Whitelist’ and ‘Ignored File Types’ as is.<\/p>\n
\nI don’t enable this but it can be used to disable WordPress dashboard access at certain times.<\/p>\n
\n– Here you can give a list of IP addresses or address blocks to ban completely.
\n– Enable HackRepair.com’s blacklist feature.
\n– Enable Ban Lists
\n– Ban Hosts. I tend to use the lockout notifications (especially for people trying to log in as Admin) to block the whole ISP for hackers from places like Russia, China etc.<\/p>\n
\n– Backup Full Database Off
\n– Backup Method Email Only – backups will be emailed to me
\n– Backups to Retain doesn’t matter as I am not storing them on the machine
\n– Zip Database Backups
\n– Exclude Tables I leave as is
\n– Enable Scheduled Database Backups
\n– Backup Interval 3 days (if your site is very busy, with many posts, you may wish to shorten this interval).<\/p>\n
\nI leave this as is, but you can choose not to flag changes to some files, or to include some of the exclude file types.<\/p>\n
\nThis will give the current and recommended permissions for various files. If the site is working a lower level than recommended doesn’t hurt, but they need some explanation.<\/p>\n
\n– What the owner of the file can do
\n– What people in the same group of users as the owner can do
\n– What anyone else can do.<\/p>\n
\n0 can do nothing
\n1 can enter the folder or execute the program (e.g. a php file)
\n2 can write to the file (or folder)
\n3 can write to the file (or folder) and can enter the folder or execute the program (e.g. a php file)
\n4 can read the file (or folder)
\n5 can read the file (or folder) and can enter the folder or execute the program (e.g. a php file)
\n6 can read or write to the file (or folder)
\n7 can read or write to the file (or folder) and can enter the folder or execute the program (e.g. a php file)<\/p>\n
\nThis is to protect against those who attempt to break in by guessing passwords.
\nNote: Set yourself up as an administrator, set up another user as an editor, remove the user ‘admin’ (if present), and never post using your admin login. If you have posted with this name you can choose quick edit for the post and change the author.<\/p>\n
\nI set Minutes to Remember Bad Login (check period) to 15 minutes (some hackers anticipate the normal 10 minute period)
\nAlways set Automatically Ban “admin” user<\/p>\n
\nmake sure that you have generated an API key and selected Automatically ban IPs reported as a problem by the network<\/p>\n
\nEnable strong passwords for Administrator and Editor. You can also enable for lower categories if you wish.<\/p>\n
\nLeave unless you have a security certificate to run your site under https<\/p>\n
\nProtect System Files
\nDisable Directory Browsing
\nDisable PHP in Uploads<\/p>\n
\nI leave this alone<\/p>\n
\n– Reduce Comment Spam
\n– Disable File Editor It says that if you enable this you will need to manually edit theme and other files using a tool other than WordPress, but you can disable this and re-enable after editing.
\n– XML-RPC You can set this to disabled. If you use jetpack you will need it enabled, and follow the jetpack security settings.
\n– Block Multiple Authentication Attempts per XML-RPC Request.
\n– REST API is the better, newer replacement for XML-RPC. Use the recommended Restricted Access.
\n– Disable login error messages.
\n– Force users to choose a unique nickname – makes the displayed post name different from the login name. This would allow you to post as administrator user but I still recommend that you don’t
\n– Prevent attachment thumbnails from traversing to other files.<\/p>\n