Ithemes Security Setup Guide 2019 PDF
Ithemes Security Setup Guide 2019 PDF
SETUP GUIDE
A QUICK REFERENCE FOR
WORDPRESS SECURITY SETTINGS
& CONFIGURATION
TABLE OF CONTENTS
INTRODUCTION
1
INTRODUCING THE
2 SETTINGS MODULES
SECURITY CHECK
3
ITHEMES SECURITY
5 SETTINGS EXPLAINED
PRO SETTINGS
12
ADVANCED SETTINGS
20
INTRODUCTION
ITHEMES SECURITY PLUGIN SETUP & SETTINGS
1
INTRODUCING THE
SETTINGS MODULES
All iThemes Security settings are organized into "Modules" on the
Settings page.
2
SECURITY CHECK
The first module in the list is the Security Check. The Security
Check ensures your site is using the basic recommended settings.
3
SECURITY CHECK
Click the Secure Site button to run the Security Check.
Banned Users
Database Backups
Local Brute Force Protection
Network Brute Force Protection
Strong Passwords
WordPress Tweaks
File Change Detection
Magic Links PRO
Malware Scan Scheduling PRO
Two-Factor Authentication PRO
User Logging PRO
Note: Running the Security Check more than once will re-enable recommended
settings that have been disabled.
4
ITHEMES SECURITY
SETTINGS EXPLAINED
The following pages give an in-depth explanation of each
iThemes Security plugin settings module.
Global Settings
Notification Center
404 Detection PRO Magic Links
Away Mode PRO Malware Scan Scheduling
Banned Users PRO Privilege Escalation
Database Backups PRO reCAPTCHA
File Change Detection PRO Settings Import and Export
File Permissions PRO Security Dashboard
Local Brute Force Protection PRO Two-Factor Authentication
Network Brute Force Protection PRO User Logging
Password Requirements PRO User Security Check
SSL PRO Version Management
System Tweaks PRO Trusted Devices (Beta)
WordPress Salts PRO Grade Report
WordPress Tweaks
5
GLOBAL SETTINGS
Write to Files - In order to take advantage of all that iThemes Security has to
offer, it will need permission to write to the .htaccess and wp-config.php
files.
Host Lockout Message - This is the customizable message that will display
when an IP has been locked out.
User Lockout - This is the customizable message that will display when a
user has been locked out.
Community Lockout Message - This is the customizable message that will
display when an IP has been flagged as bad by the iThemes network.
Blacklist Repeat Offender - This will allow iThemes Security to ban an IP
that has reached the blacklist threshold.
Blacklist Threshold - The number of lockouts allowed before a permanent
ban.
Blacklist Lookback Period - The length of time a lockout will count towards
a permanent ban.
Lockout Period - The length of time a lockout will last.
Lockout White List - This is where you can add user’s IPs to prevent them
from being locked out.
Log Type - Choose how you want your logs to be stored.
Days to Keep Database Logs - The length of time a log entry will be stored
in the database.
Allow Data Tracking - We are not currently tracking any data when this
feature is enabled. Allow iThemes to track plugin usage via anonymous data.
Proxy Detection - May help with identifying actual IPs instead of the proxy
server’s IP.
Hide Security Menu in Admin Bar - Remove the Security Messages Menu
from the admin bar and receive the messages as traditional WordPress
Admin Notices.
Show Error Codes - Decide whether or not the lockout messages should
display.
Enable Grade Report PRO - This will allow the Grade Report Module to show
in the security settings.
6
NOTIFICATION CENTER
From Email - iThemes Security will send notifications from this email address.
Leave blank to use the WordPress default.
Default Recipients - Select which users will be used as the default recipient
list.
Automatic Updates Info PRO - The Version Management module will send an
email with details about any automatic updates that have been performed
Database Backup - The Database Backup module will send a copy of any
backups to the email addresses listed below.
File Change - The File Change Detection module will email a file scan report
after changes have been detected.
Grade Report Change PRO - Receive a notification when your security grade
changes. This email is generated by the Grade Report module.
Inactive Users - The User Security Check module sends a list of users who
have not been active in the last 30 days so you can consider demoting or
removing users.
Magic Login Link PRO - Customizable message and subject used for the
Magic Link email. This email is generated by the Magic Links module.
Malware Scan Results PRO - Receive a notification when the malware scan
finds an issue or if the scan repeatedly fails. This email is generated by the
Malware Scan Scheduling module.
Security Digest - Choose the frequency of notification summary emails
generated by iThemes Security.
Settings Export PRO - Customize the email that contains the settings export.
This email is generated by the Settings Import and Export module.
Site Lockouts - Receive a notification when an IP or user is locked out. During
periods of heavy attack, iThemes Security can generate a large amount of
emails as it helps protect your site.
Two-Factor Email PRO - Customize the email users will receive that contains
the authentication code. This email is generated by the Two-Factor
Authentication module.
Two-Factor Email Confirmation PRO - The email a user will receive when
setting up Two-Factor. This email is generated by the Two-Factor
Authentication module.
Two-Factor Reminder Notice PRO - Customize the email sent to remind
users to setup two-factor. This email is generated by the User Security Check
module.
Unrecognized Login PRO - Users receive a notification if there is a login from
an unrecognized device. This email is generated by the Trusted Devices (Beta)
module.
7
404 DETECTION
Minutes to Remember 404 Error - How long a 404 will count towards a
lockout.
Error Threshold - The number of 404 errors need for a lockout.
404 File/Folder Whitelist - Use the whitelist to add any file or folder you do
want to count towards a lockout. Keep in mind the 404s will still be recorded
in the security logs.
Ignored File Types - Choose file types that you do not wish to count towards
lockouts.
AWAY MODE
Type of Restriction - Choose if you want Away Mode to occur once or daily.
Start Time - The time away mode will become active and you will not be able
to access the login page.
End Time - The time away mode will end and you will be able to access the
login page.
BANNED USERS
8
DATABASE BACKUPS
Note: The Database Backup module will send a copy of any backups to the email
addresses listed in the Database Backup section of the Notification Center module. You
can customize the email subject and recipients.
Files and Folders List - Select which files you want to exclude from the file
change scan. It is common practice to exclude items that are expected to
change frequently. A good example of this would be backup and cache
directories.
Ignore File Types - Choose file types that will not be included in the scan.
Display File Change Admin Warning - Choose if you want to see an admin
notification when a change is found.
Compare Online Files - Compares file hashes of changed WordPress core and
iThemes or WordPress.org plugins or themes to their online counterparts.
Note: The File Change Detection module will email a file scan report after changes have
been detected. From the Notification Center module, you can enable this email,
customize the subject and select which users should receive File Change emails.
9
FILE PERMISSIONS
See the iThemes Security suggest file permission settings and compare them
to your current file permission settings
Max Login Attempts Per Host - The number of allowed invalid login attempts
per IP before a lockout occurs.
Max Login Attempts Per Host - The number of allowed invalid login attempts
per User before a lockout occurs.
Minutes to Remember Bad Login - The number of minutes an invalid login
attempt will count towards lockout.
Automatically ban admin user - Immediately LOCKOUT a host that attempts
to log in using the admin username.
Enable to block IPs that have been identified by the iThemes Network as bad
actors.
10
PASSWORD REQUIREMENTS
SSL
If you have an SSL certificate installed, you can use this setting to
redirect all HTTP traffic to HTTPs.
SYSTEM TWEAKS
10
WORDPRESS SALTS
Change the WordPress salts & security keys. Note that changing the salts
will log you out of your WordPress site.
WORDPRESS TWEAKS
Windows Live Writer Header - Remove the Windows Live header if it isn’t
needed.
EditURI Header - Removes the RSD header.
Comment Spam - Prevent comments from bots with no referrer or user-
agent.
File Editor - Disable the WordPress file editor and require using a different
tool to edit the theme or other files.
XML-RPC - Choose how you would like XML-RPC to managed on the site.
REST API - Choose how you want the REST API used on the site.
Login Error Messages - Prevent login error messages from being displayed.
Force Unique Nickname - Force users to use a unique nickname when
updating or creating a new account.
Disable Extra User Archives - Disable the author page for users with 0 posts.
Protect Against Tabnapping - Protect visitors against tabnapping external
links.
Login with Email Address or Username - Manage what a user can use to
login.
Mitigate Attachment File Traversal Attack - This helps to mitigate an attack
where users with the "author" role or higher could delete any file in your
WordPress installation including sensitive files like wp-config.php.
11
PRO SETTINGS
While the free version of the
iThemes Security plugin will PRO Magic Links
PRO Malware Scan Scheduling
secure your website on a basic
PRO Privilege Escalation
level, Pro settings are designed PRO reCAPTCHA
to add an even stronger layer of PRO Settings Import and Export
protection to your website. PRO Security Dashboard
PRO Two-Factor Authentication
Pro settings can be accessed PRO User Logging
PRO User Security Check
from the Settings page like all PRO Version Management
other iThemes Security settings PRO Trusted Devices (Beta)
modules. PRO Grade Report
12
MAGIC LINKS
PRO
Enable - The Magic Links feature allows you to log in while your username is
locked out by the Local Brute Force Protection feature. When your username
is locked out, you can request an email with a special login link. Using the
emailed link will bypass the username lockout for you while brute force
attackers are still locked out.
Note: The Magic Links module sends an email with a Magic Link that bypasses a
username lockout. From the Notification Center module, you can customize the subject
and message of this email. Basic HTML and some email tags are supported.
Enable
PRIVILEGE ESCALATION
PRO
13
RECAPTCHA
PRO
Note: The Settings Import Export module sends an email with the settings export file
attached. From the Notification Center module, you can customize the subject of this
email and the message. Basic HTML and certain email tags are supported.
14
SECURITY DASHBOARD
PRO
After enabling, refresh the page to see the new Security Dashboard link in your
WordPress admin dashboard menu. Visit this link to create your Security
Dashboard with the following card options (click the Edit Cards link on the right
side of the screen):
15
TWO-FACTOR AUTHENTICATION
PRO
16
USER SECURITY CHECK
PRO
See how your users might be affecting your security and take action when
needed in the User Security Check module.
Enable to see an overview of users using two-factor, and the strength of their last
login. You can also send two-factor reminder emails and change their user role.
USER LOGGING
PRO
With the User Logging module, you can log user actions such as login,
saving content and others.
VERSION MANAGEMENT
PRO
The Version Management module will send an email with details about any automatic
updates that have been performed. From the Notification Center module, you can
enable this email and select recipients.
17
TRUSTED DEVICES (BETA)
PRO
Minimum Role - Enable Trusted Devices for users with the selected minimum
role.
Restrict Capabilities - When a user is logged-in on an unrecognized device,
restrict their administrator-level capabilities and prevent them from editing
their login details.
Session Hijacking Protection - Help protect against session hijacking by
checking that a user's device does not change during a session.
Geolocation - iThemes Security uses geolocation to improve the accuracy of
Trusted Device identification. By default, a number of free GeoIP services are
used. We strongly recommend enabling one of the MaxMind APIs.
Static Image Map API - iThemes Security uses static image maps to display
the approximate location of an unrecognized login. We recommend using
either the Mapbox or MapQuest APIs.
Users can receive a notification if there is a login from an unrecognized device. From the
Notification Center module, you can enable this email and customize the subject and
message of the email.
PASSWORD REQUIREMENTS
PRO
Force Password Change - Force all users to change their password on their
next login attempt.
Password Expiration - Set the length of time a password can be used.
Refuse Compromised Passwords - Force users to use passwords that that do
not appear in any passwords breaches that are tracked by Have I Been Pwned.
18
GRADE REPORT PRO
The Grade Report module allows you to see your WordPress security
grade and fix issues.
Note: Enable Grade Report must be selected in the Global Settings module for
this module to display on the Settings page.
Once enabled, a new Grade Report link will appear in your WordPress admin
dashboard beneath the Security menu. Click this link to see your Security Grade
Report summary. You can manage the Grade Report Change emails from the
Notification Center.
The Grade Report module gan send a notification whenever your Security Grade Report
changes. From the Notification Center module, you can enable this email and then
customize the subject, schedule (daily or weekly) and message of this email, along with
selecting recipients.
19
ADVANCED SETTINGS
Several settings can be located by clicking the "Advanced" tab on the
settings menu. Note: These settings are to be used with caution and
only by advanced users!
ADMIN USER
An advanced tool that removes users with a username of "admin" or a user ID of "1".
Change the database table prefix that WordPress uses. Warning: Only do this
on fresh WordPress installs and make a database backup before making the
change.
20
HIDE BACKEND
Hide the login page by changing its name and preventing access to wp-login.php
and wp-admin.
Hides the login page (wp-login.php, wp-admin, admin and login) making it
harder to find by automated attacks and making it easier for users unfamiliar
with the WordPress platform.
If you need to manually add the server config rules generated by iThemes
Security to your server, you can find them here.
WP-CONFIG.PHP RULES
21
Get started with our single site iThemes Security Pro
plan for just $49* with coupon code SECUREMYWP
*Offer good on any *new* iThemes Security Pro (1 site) plugin purchase.
Coupon can't be used to renew or extend an existing iThemes Security Pro (1 site) plugin membership.