Protects your WordPress site from hackers. Requires an iThemes paid subscription, but there is a free version as well.

More Info

Free version: https://wordpress.org/plugins/better-wp-security/
Pro (paid) version: https://ithemes.com/security/
Documentation: https://help.ithemes.com/hc/en-us/categories/200147050-iThemes-Security

Initial Configuration

Settings > iThemes Licensing

Enter your iThemes login information to authorize this plugin.

Security > Settings

Close the initial Security Check window. Then click the list view icon and All text link.

Change the following settings (if not mentioned below, leave default setting). Make sure to hit Enable and/or Configure Settings to see options. After each section, be sure to click Save Settings.

• Global Settings
  • • Notification Email: enter your email address.
    • Send Digest Email: check Send digest email.
    • Backup Delivery Email: enter your email address.
    • Blacklist Repeat Offender: disable Enable Blacklist Repeat Offender.
    • Hide Security Menu in Admin Bar: check Hide security menu in admin bar.
• Banned Users
  • Default Blacklist: check Enable HackRepair.com’s blacklist feature.
• Local Brute Force Protection
  • Automatically ban “admin” user: check Immediately ban a host that attempts to login using the “admin” username. Only exception is if you have a legitimate user account named “admin” (not recommended) in which case you should leave this option unchecked.
• Hide Backend
  • Hide Backend: check Enable the hide backend feature.
  • Login Slug: change to something unique like the initials of the company name plus login. For example, cnlogin.
• Network Brute Force Protection
  • Email Address: enter your email address.
  • Receive Email Updates: enable.
• SSL: NOTE: only enable this feature if there is an active SSL certificate for the site’s domain name.
  • Front End SSL Mode: choose Whole Site.
  • SSL for Dashboard: check Force SSL for Dashboard. NOTE: occasionally this may cause issues; if it does, disable this option.
• Strong Password Enforcement
  • Select Role for Strong Passwords: choose Contributor.
• System Tweaks
  • System Files: check Protect System Files.
  • Directory Browsing: check Disable Directory Browsing.
  • PHP in Uploads: check Disable PHP in Uploads.
• WordPress Tweaks
  • Windows Live Writer Header: check Remove the Windows Live Writer header.
  • Comment Spam: check Reduce Comment Spam.
  • XML-RPC: choose Disable XML-RPC (recommended) if Jetpack, the WordPress mobile app, pingbacks, and other services that use XML-RPC are not used. Otherwise, choose Disable Pingbacks.
  • Multiple Authentication Attempts per XML-RPC Request: choose Block (recommended).
  • REST API: choose Restricted Access (recommended) if your site does not use REST API. Otherwise, choose Default Access.
  • Login Error Messages: check Disable login error messages.
  • Force Unique Nickname: check Force users to choose a unique nickname.
  • Disable Extra User Archives: check Disables a user’s author page if their post count is 0.
  • Protect Against Tabnapping: check Alter target=”_blank” links to protect against tabnapping.
• Malware Scan Scheduling (PRO VERSION)
  • Email Contacts: disable All Administrator users and check only one admin username.
  • The settings here are up to you if you want auto-scanning enabled.
• Version Management
  • Email Contacts: disable All Administrator users and check only one admin username.
  • The settings here are up to you if you want auto-updates enabled.

Usage

Automatic.

Want to secure your website against hackers? Has your site already been hacked? Contact us. We can help.