Every time, and I mean every time I make a new WordPress site the first thing I do is install and activate the iThemes Security plugin. Hands down I do believe that it is the top in Security Best Practices plugins. With over two and a half million downloads, it is definitely a plugin you can depend on. There are two versions of iThemes Security. They have a free and a paid premium version. This review will be discussing the free version of the plugin.
Benefits of using iThemes Security
The number one benefit i see in iThemes Security is that it helps keep the bad guys out and it lets you know when they try to get in.
I receive emails when bot or person tries unsuccessfully to log in to my website. After three failed attempts to login, iThemes Security will notify the admin via email that someone has been locked out due to too many failed login attempts. Here is an example of the email you will receive. You can adjust the number of times of failed login attempts before locking them out. It is recommended to not put this at one. This feature will help your site to avoid brute force attacks.
If you notice you are getting a lot of notifications that there are site lockouts due to failed login attempts, it is more than likely the site is under a brute force attack. If you change your login slug to something other than the defaults, that typically helps to reduce brute force attacks tremendously.
404 detection is very important with WordPress security. What that means for a brute force attack is they are trying to find pages and they do not exist. This causes a 404 detection. The admin will receive an email for brute force/404 detection bans as well. You can change how many 404 errors are made before a host is locked out. It is recommended not to put this to 1. Personally I say leave this at the defaults.
Since it has happened to me, I enjoy the hide backend feature. I was hit with a horrible brute force attack and received over 40 emails of site lockout notifications one morning due to someone trying to get into my personal blog. Finally, I enabled the hide backend feature and changes the login slug. I have yet to have another site lockout notification on that site due to failed login attempts. If they can not find where to log in. They cannot log in. Great feature!
Another great feature is that you can set a clock to where your site’s dashboard is unavailable for different times. While, I myself do not use this, it is awesome. I have a tendency to writing blogs when I should be sleeping. It is great for business websites when they do not want people in their site when the company is not open.
With dealing with passwords, you never want to use an easy one. iThemes Security will enforce strong passwords for all or some of the user rolls. This is a great feature to have if you have more than one user on the site. Please remember, “password” is never a good password.
Finally one of my favorite features is the database backups. You can set up a schedule to have a backup file of the WordPress database to be emailed to you. For an extra fee you can have the full backups sent to a remote location with iThemes Backup Buddy. If you worry about losing your site, I highly recommend using both. You can change the settings to only backup some or all of the database.
Things you should know about iThemes Security
- If you use the hide backend feature, you WILL NOT be able to use the default WordPress slugs. Please remember what slug you used for the login page.
- If you do find yourself locked out of your website, you can always FTP into your site and delete the lockout to get back in.
- If you are getting a lot of emails for site lockout notifications, please read your logs before blaming the plugin. Typically it is just the plugin doing its job.
- Nothing is ever 100% secure. Never.
- You do not have to turn everything on. The plugin is set up for the user to pick the features they want to use.
Final Decision on iThemes Security
I would, and I do put this plugin on all of my sites. I have yet to encounter a major problem. Anything that I have had an issue with was minor and mostly due to simple error. This plugin is ever evolving and updated very often. If you chose to not use this plugin, please chose some kind of security for your site. Anything is better than nothing. If you are looking for a great, free WordPress Security plugin, iThemes Security is definitely where it is at.