How to Protect Your WordPress Site with iThemes Security Pro

default image

With over 40% market share, WordPress powers millions of websites across the globe. Its easy-to-use interface allows anyone to quickly build professional looking sites without coding.

However, this simplicity comes at a cost – WordPress is a prime target for hackers. Over 30,000 WordPress sites get hacked every day according to Sucuri. Small businesses are especially vulnerable as they often lack resources to properly secure their sites.

So how do you lock down your WordPress site against attacks? One of the best tools available is iThemes Security Pro. It packs a ton of features to protect your site from unauthorized access and malware.

In this detailed guide, we‘ll explore how iThemes Security can help secure your WordPress site.

Why Use a Security Plugin for WordPress?

The WordPress core software is quite secure – only 0.5% of vulnerabilities in 2021 could be attributed to it. However, WordPress sites still get hacked frequently due to vulnerabilities in plugins, themes and poor password hygiene.

Here are some common attack vectors exploited by hackers:

  • Weak Passwords – Using simple passwords like "password123" or reusing the same password across sites makes it easy for hackers to break in.
  • Outdated Software – Not updating plugins/themes leaves known vulnerabilities open for attackers to exploit.
  • Insecure Plugins – Compromised or poorly coded plugins can allow attackers to inject malware or gain access.
  • Brute Force Attacks – Hackers can automatically try millions of password combinations to break into accounts.
  • File Modifications – Attackers can modify/add malicious code by directly editing plugin/theme files.

A good security plugin like iThemes Security Pro helps protect against these attack vectors in multiple ways:

  • Strong password policies
  • Two-factor authentication
  • Proactive brute force protection
  • File change monitoring
  • Automated software updates
  • User activity logging

By adding extra layers of security, iThemes makes it much harder for hackers to find holes and break into your site.

Getting Started with iThemes Security Pro

iThemes Security is available as a free limited version or a full-featured Pro version starting at $80 per year. For the best protection, you‘ll want the Pro version.

Here are the steps to set up iThemes Security Pro:

  1. Purchase – Buy iThemes Security Pro from their website. You can choose monthly or annual billing.

  2. Download – After purchase, you‘ll get download access and license keys for the plugin. Download the iThemes Security Pro plugin zip file.

  3. Install – In your WordPress dashboard, go to Plugins > Add New and upload the downloaded zip. Activate the plugin.

  4. Configure – Go to Settings > iThemes Security and walk through the onboarding checklist. You‘ll be prompted to configure various security options.

The setup provides good descriptions for each setting so you can tweak them to match your specific needs. Feel free to use the default options for basic protection.

For added security, I recommend enabling Two-Factor Authentication under the Login Security tab. This requires users to enter a code from their mobile app in addition to a password when logging in.

Once done, your site will be locked down with iThemes Security Pro protecting it!

Now let‘s look at some of the key features it brings to the table.

Powerful Login Security

One of the most common ways hackers try to break into WordPress sites is by brute forcing passwords. iThemes Security offers multiple ways to protect against this.

Strong Passwords

Under Login Security settings, you can enforce:

  • Minimum password length and complexity – Set a minimum length and require a mix of uppercase, lowercase, numbers and symbols to prevent weak passwords.

  • Maximum password age – Force users to update passwords after a defined period to prevent password reuse.

  • Banned passwords – Block the most common weak passwords like "password" and "123456".

  • Suspicious slug – Disallow usernames that match common ones like "admin" that are targets for brute force.

  • Passwordless logins – Support logging in via Face ID, Touch ID, Windows Hello, FIDO security keys. No password needed!

Brute Force Protection

To thwart brute force attacks, iThemes Security provides:

  • Login lockout – Temporarily block IPs after a defined number of failed login attempts

  • Permanent lockout – Ban IPs permanently if they exceed a failed login threshold

  • Two-factor lockout – Enforce two-factor login after a number of failed attempts

  • reCAPTCHA – Show reCAPTCHA challenge after failed logins to block bots

  • Login activity email alerts – Get notified if suspicious login attempts detected

Together these lock down your login page against unlimited guessing attacks. Legitimate users may get temporarily blocked, but that‘s better than getting hacked!

Two-Factor Authentication

For optimal login security, enforce two-factor authentication (2FA). iThemes Security supports TOTP-based 2FA via:

  • Mobile apps like Google Authenticator and Authy
  • Email
  • Backup codes

With 2FA enabled, users have to enter both a password and a time-based one-time code from their mobile app/email when logging in.

This significantly raises the barrier for hackers as they now need access to both something you know (password) and something you have (mobile device).

iThemes Security Pro Two-Factor Authentication Settings

Login Activity

iThemes Security provides visibility into all login activity under the Dashboard. You can see current active logins and take action:

  • Force password reset – Instantly force password reset for any user

  • Force logout – Terminate active sessions and force logout

  • temporarily – Block user login for a period of time

  • Permanently – Completely disable user login

This allows quickly disabling compromised accounts or suspicious logins detected.

Together these extensive login security protections make it extremely difficult for hackers to brute force or guess their way into your site.

Manage Users with Groups

The Groups feature in iThemes Security allows setting up user groups with specific security policies.

For example, you can create an "Editor" group for your site editors. Some policies you could enforce:

  • Require strong 15 character passwords
  • Enable Two-factor authentication
  • Receive email alerts for failed logins
  • Limit to 5 failed logins before temporary lockout

Groups let you apply security settings selectively only to users who need it rather than site-wide.

This enhances security while minimizing inconvenience for regular users.

iThemes Security Pro user groups

Some common use cases for groups:

  • Higher security for admin users
  • Relaxed policies for trusted users
  • Temporary lockdowns during attacks
  • Compliance requirements for user subsets

You can leverage the default WordPress roles like Editor, Author, Subscriber. Or create custom groups based on specific users.

This granular control helps apply the right security policies tailored to each user group.

Monitor File Changes

Hackers often try to modify/add malicious code to plugin and theme files. The File Change Scan in iThemes Security detects and alerts about unexpected file changes.

You can configure:

  • Files/paths to monitor – Restrict to specific sensitive folders like /wp-admin, /wp-includes.

  • File types – Scan only PHP files to ignore non-executable changes.

  • Scan frequency – Daily or real-time checks for instant detection.

  • Email alerts – Get notified immediately if any file changes detected.

  • Integration with iThemes Sync – Automatically revert unauthorized file changes.

File change scanning serves as an extra layer of protection beyond plugin/theme updates. It can catch unauthorized edits that may slip past those protections.

iThemes Security Pro file change scanning

Manage Plugin/Theme Updates

Outdated plugins and themes can leave security vulnerabilities in a WordPress site. iThemes Security gives control over managing updates for:

  • WordPress Core
  • Plugins
  • Themes

You can enable automatic background updates for each. This ensures any security fixes released are installed promptly.

For plugins and themes, you can also:

  • Select specific ones to auto-update
  • Exclude plugins/themes from auto-updates
  • Enable auto-updates only for major versions
  • Configure update timeframe – immediately or delayed by days

iThemes Security Pro managing WordPress updates

While WordPress already provides background update options, having them centralized under iThemes Security makes it more convenient.

Automated updates block attackers from exploiting known vulnerabilities that have been patched but not installed yet on your site.

Beat Brute Force Attacks

Brute force attacks involve hackers using automated tools to try millions of password combinations to break into accounts.

iThemes Security has your back with multiple ways to detect and stop brute force attacks:


Temporarily ban IPs after a number of failed login attempts to prevent endless guessing. You can configure:

  • Threshold of failed logins before lockout
  • Lockout duration before reset

Permanent Ban

For repeat offender IPs, permanently block them after exceeding a failed login threshold. This instantly stops the attacker.


Show a reCAPTCHA challenge after a number of failed logins to block bots attempting to brute force.

Network Brute Force Protection

Prevent blocked IPs from attacking other sites on iThemes Security Network. All sites share banned IPs for broader protection.

Brute force attack protection in iThemes Security

These layered defenses ensure your site remains up and running smoothly even during a coordinated password guessing attack.

Legitimate users may face temporary access issues during lockouts. But that‘s better than letting the attack continue and having your site compromised.

Get Notified of Important Events

Situational awareness is critical when it comes to security. iThemes Security can notify you via email when important events occur:

  • Failed login attempts
  • Login lockouts
  • reCAPTCHA lockouts
  • File changes
  • Plugin/theme updates
  • WordPress security alerts
  • Database changes
  • 404 errors

Detailed notifications with context allow investigating suspicious activity or critial changes right when they occur.

You can dial up or down email alerts based on what events you care about keeping an eye on.

Customizable Dashboard

The iThemes Security dashboard provides an overview of everything going on with your site:

iThemes Security Dashboard

  • Recent activity like logins and lockouts
  • File change alerts
  • Active users you can force logout
  • Pending plugin/theme updates
  • WordPress security notices
  • Scan results of site health, file changes etc.

The dashboard serves as your security command center to monitor and control your site. You can customize it by adding/removing modules based on your needs.

Hardening WordPress Configuration

Beyond plugins and passwords, a site‘s security also depends on how WordPress itself is configured.

iThemes Security optimizes various WordPress settings for security:

  • Disable file editing from WordPress admin
  • Remove theme/plugin editor access
  • Hide error messages from users
  • Change default database table prefixes
  • Disable XML-RPC if not needed
  • Adjust cookie and session settings
  • Hide WordPress version number

These harden WordPress against different attack techniques and minimize exposed information.

Detect Malware and Blacklisting

In case your site does get hacked, iThemes Security can help identify malware and blacklist indicators.

Under the Malware Scan tab, it checks for:

  • Suspicious files added like web shells
  • Implants in existing files like code injections
  • Known malicious code signatures
  • Communications with malware command and control servers

The scan results show malware detections that you can then clean up.

For ongoing protection, iThemes Security monitors Google Safe Browsing, Sucuri Labs and Spamhaus to alert you if your site gets blacklisted.

This allows identifying and addressing hacks or compromises before they can do extensive damage.


As you can see, iThemes Security packs an exhaustive set of features to lock down your WordPress site.

It goes far beyond basic login security to also handle brute force attacks, file monitoring, access control, malware detection and more.

With pros like automated patching, configurable groups and two factor authentication, iThemes Security Pro is one of the most powerful WordPress security plugins available.

The comprehensive protection will frustrate hackers and prevent your site from getting compromised.

While no single plugin can guarantee 100% bulletproof security, iThemes Security Pro gets you 99% of the way there. Implementing it should put your mind at ease knowing your site is under expert guard.

For the best peace of mind, use iThemes Security Pro along with a managed WordPress host that has in-depth security expertise. This combination offers the most secure foundation for your online business.

Written by