Menu
Is free
check in
the main  /  Education / WP Security plugin. Best WordPress Protection Plug

WP Security plugin. Best WordPress Protection Plug

Good day to all readers, we will discuss today once again the issue of site security on WordPress. But not abstract, but on the example of the setting of an excellent plug-in AL IN One WP Security & Firewall that I fully successfully use on a number of my sites and can safely recommend you.

All in One WP Security & Firewall refers to the number of universal WordPress defenders you can read about. A sort of "Guards for all hands" and in principle, performs comprehensive protection on very many parameters. The plugin has a good user rating and it is completely free.

One of the important advantages is that the All in One WP Security & Firewall is perfectly translated into Russian and the development of all its features is not difficult for those who did not study foreign languages \u200b\u200btoo well in school. Full translation - that is, not only the main functions, but almost all tips to them. It is they who will give you a complete presentation and understanding of the need and the importance of certain settings.

Structurally, the plugin consists of several dozen options that you are liberated to use or leave off. The inclusion of certain options is displayed in special check boxes. There is also visible priority for this option.

The purpose of this article I put not so much the listing of settings (you can easily see them, to study and understand), and your vision of what is worth incorporated, and what is possible for one reason or another to neglect. Let's proceed.

Setup All In One WP Security & Firewall

Control Panel

  • Information widgets with a clear indicator of protection, diagram of all points of protection, show active sessions and blocked IP. Special attention should be paid to the widget - The current status of the most important functions.Here you can immediately, without deepening in the settings, include the most important elements of protection.
  • System information. Info is displayed on the site, version PHP. and all installed plugins. Tab - Blocked IP addresses And tabs with plug-in logs. At the beginning in these tabs you, of course, everything will be empty.
  • Tab - blocked IP and logs. There is nothing to customize anything.

Settings

  • Taba S. common settings. Nothing is configured, but you can immediately make backup copies .htaccess, databases and WP-config.php. Immediately you can cut down all the settings with one fellible if something went wrong and problems appeared.
  • WP Meta information. Turn on.

Administrators

  • User name WP. If your login is not admin, then everything is in order. Otherwise, it is necessary to change it. This is a really important "chip". If in the future you specify that you would receive notifications about temporarily blocked users who tried to enter the Admin login - will be unpleasantly surprised. I have at least 2-5 letters per day (see Locking authorizations).
  • Display name. Shows all registered users who have a login coincides with the name (nickname). If you do not have anyone except you - the list will be empty. If users, you can do the correction of nicks. Not too important function - you can not touch.
  • Password. An employed tool that visually will show you the reliability of any password. Judging by it makes sense to set complex passwords long at least 10 characters.

Authorization

  • Lock authorization. Useful function from selection of passwords. Be sure to turn on and configure the taste of parameters or leave as it is by default. I recommend, at least for a while, enable notifications of shocking on email. Just to understand how important this feature is.
  • Erroneous authorization. Here statistics. Nothing needs to be configured.
  • Automatic splitting of users. Not convenient for your users a thing and at the same time gives few safety glasses. You can not include.
  • Journal of Activity I. Active sessions - information and logs.

Registration of users

  • Manual confirmation. In general, quite useful feature If you have no particularly frequent registration on your site and if they are generally permitted. You can enable.
  • Capple upon registration. Sets a simple, digital caplement on the registration form. To be honest, I did not like how it works. I use separate - Math Captcha. It seems to be like everyone else, but unlike the built-in, running an order of magnitude better. Decide yourself that choose.

Database

  • Changing the prefix of the tables of your database. It is worth incorporated, but still, I advise you to make a pre-backup database.
  • Backup database. I recommend to turn on. Typically, the database does not occupy a lot of space and this will not be even if you use some other backup for the site.

File system

  • Access to the file system. Set the desired value to access the folders in the column recommended by the action so that the entire list has become green.
  • Editing Php Falov. You can enable the ban on editing from the admin, unless of course you yourself do not rule the files in this way.
  • WP access to files. Disable access to readme.html, license.txt and WP-config-sample.php. Turn on.
  • System log. Setting Log Forming. Do not touch anything.

Whois Search

  • Manual verification of IP addresses. Nothing is adjusted, and for some reason it is not always.

Black list

  • Ban users. Turn on. As you understand, it is relevant only if you enter some IP addresses there yourself. It is useful when you need to quickly ban the next idiot hulaging in the comments.

Firewall

  • Basic rules. Read the prompts and turn on both ticks. Before this make backup of your file.htaccess
  • Additional rules. It is worth turning on everything. However, the authors of the plugin warns of possible incompatibility with some plugins.
  • Setting 5G. As far as I understand, it includes a certain additional firewall. Turn on. I did not notice any problems after enabling this option.
  • Internet robots. In theory, blocks false google robots. In order to avoid problems with useful robots, I did not include this checkbox.
  • Prevent hotels. What it is - read in the hint. Turn on.
  • Tracking errors 404. It is necessary to turn on, but the blocking time is small. For example, 5-10 minutes.

Protection against Brutfors Attacks

  • Rename the login page. The option is useful, but keep in mind that there may be a problem if you have been allowed to register on the site. For example, when the user wants to restore lost password. In general, it is worth taking carefully after switching on. In addition, some hosting providers use this default protection. Decide according to circumstances.
  • Protection against Brutfors-attack based on the use of cookies. As with the previous paragraph, the setting is strictly individual. Read the prompts carefully and decide for yourself.
  • Capple on login. If you still use the built-in capping, then everything is better to turn on.
  • White list. Disable access to the login to everyone apart from those who will be listed. For true maniacs, you can not include.
  • Barrel with honey. Read the details of this interesting feature in the hint. It seems to me - you can safely turn on.

Protection against spam

  • Spam in comments. Capple in the comments - enable if you use the built-in capping. Blocking spam robots - Help your akismet to fight spam robots - turn on.
  • IP tracking. You can calculate the most active spammers and put them in the blacklist.
  • Buddypress. Actually if you have this social network plugin.

Scanner

  • Tracking any changes in files. As it seems, it is more intended for particularly concerned, since changes in files will certainly be sometimes occurring. If you want all this to constantly monitor and control - turn on.
  • Scanning from malicious programs. Paid function - from $ 5 per month.

Service Mode

  • Here you can enable "Service Mode" for the site and customize appearance Pages with a warning for readers. Additionally read.

miscellanea

  • Protection of content from copying and insertion inside the frame. The inclusion of these does not directly affect the protection of the site.

conclusions

All In One WP Security, I generally liked it and I use it on some sites. In my opinion, if not the best, then surely one of the best such plugins. In fairness, I will note that in no way I am an expert in security issues. All of the above only the result of my experience and personal opinion. So, if experienced readers have their thoughts on the settings of this plugin or the best alternative options to him, please spoke. The color taste, as they say ...

Articles in the same category

And today, my friends will defend themselves.

Yes. Exactly. From whom? From those comrades, scum, which will be attempted by our "Blogs". Who, I can't say these people, but they are and can not be in a sense why the earth is not lit under their feet. Why on their heads are not stone rain and they do not choke their gloating saliva.

And if such people exist, then they need to be adequately defended. And today we will give you a super-cool plugin to protect your blog.

Be sure, not one bitch will not penetrate your blog and do not attack you, after you put it.

And this all in one WP Security plugin.

I used to use sure the defense plugins and somehow did not particularly worry about security, the login is naturally admin, a password out of five letters, and naturally it was until time. In the plug-ins and never looked, well, it is worth it, it means that it protects. In short into dark everything.

And when the hacker attack broke through this defense and began to overload the host, then I thought about ... and completely accidentally passed on the plug-in, which seemed to me very cute and benevolent. And at the same time, a very serious guard, having listened to which and by following the instructions, you will be under reliable protection.

Of course, while you will be a young blogger and while your path will be in the development stage, the carelessness will ride. But when you get the weight and become elbows to swell competitors, freeing the place under the sun, you will have envious and ill-wishers. Therefore, from the very beginning, take a habit to defend well.

So what is good all in One WP Security?

  • Reliable;
  • Free;
  • RUSSIAN;
  • Plain.

You need to install it on WordPress according to the standard scheme: Plugins-Add new, in the search we drive All in One WP Security, Enter, first, and it is not by chance, it will be a birthplace ...

Let us turn to the setup of the AL IN ONE WP Security plugin

I advise you to make a copy from your database before installing. 1. Database itself. 2. File file WP-CONFIG. 3. File.htaccess.

And all this, as convenient, can be done in the settings of the plugin itself.

Control Panel

In the admin menu we find WP Securityplugin submenu Control Panel.

The first thing that rushes into the eyes is a sort of pressure gauge of our security and a diagram of the work done by the plugin. It is generally cool.

What I want to say. IMPORTANT! Do not get drunk to the maximum protection. Do not bring the pressure pressure to critical. It is fraught with the consequences of the site. So they say, he himself did not feel any problems, probably simply because I just keep a little more than half of the laid.

Here in the control panel do not make anything else and go to the settings.

Settings

That's exactly here we make copies of our site and database. Here we will, if necessary, disable the firewall if you need.

In the WP tab, check the box

In the "Import / Export" tab, actions are made to export your settings to some other site, if you have, not to put all the checkboxes that we will now be stailed. In two clicks everything will be done.

Administrators

User name WP.

Here change the name of the administrator and it is necessary to do it. By default, Admin or WP-Admin. Change to another, for example myblog-admin, or ja-vasja-ivanov. And generally forget the word admin.once and for all.

Display name.

Come up with any name except admin. And I also advise you if you have a lot of accounts, make the displayed names different.

Password.

The most interesting tab. With our monometer, where in a second you can determine the degree of sampling of your password. Just enter the supposed password in the device string, it will immediately give you the time for which it can be hacked. In our case, 9 years 6 months.

Authorization

Lock authorization.

Turn on as the screenshot. It is reasonable to put values \u200b\u200bthat are supected with common sense. For example, if in 5 minutes wrong password It was recruited 3 times, then your IP will be blocked for an hour. So it is worth the default. I agree with such a layout. You can change, only within reasonable limits.

Blocked IP can be viewed below.

Erroneous attempts by authorization.

Here you can see creatures. Track someone often climbs and take action. I still have one, it's because recently cleared the list.

Automatic splitting of users.

Turn on and put the time of 600 minutes through which the user will be disabled.

Journal of Account Activity"I. Active sessionsinformative.

Registration of users

IN Manual confirmation and Captcha at registration Put the checkboxes into checkboxes.

Prefix Tables BD.

I did not put here to put a daw, but if you want to put, then do first backup Your database. For a person.

Backup.

We put a daw and appoint the frequency of their creation. Also prescribe the number of these backups that will be stored in a special directory of the plug-in.

File System Protection

Access to files.

Editing PHP files.

This is for those who rule the Cerezadmint files. Put if you do not rule, do not place if the rules. But at all, it is not recommended to edit the files in the admin. Although everyone is. Although if you are noted, you will not have the opportunity to quickly return the Ctrl Z keys.

Access to WP files.

We put Gali, thereby prohibiting access to WordPress Inform-Files

System logs.

As it is and leave

WHOIS-search

I did not do anything. I do not need to learn any information about a particular IP.

Black list

This is for those who often shine on your site with suspicious intentions, you can see them in (authorization - blocking authorization - blocked IP). If there are such, put the checkbox and prescribe these IP.

Firewall

Basic rules firewall.

First do to File File.htaccess. if you have not made it and put it.


Additional firewall rules.

And in the additional filtering of the characters do not put a tank. Not all comments can pass, giving an error 403, which is also not very good.

Settings 5G.

Turn on

Internet bots.

Do not turn on Chekbox

Prevent hotels.

Turn on

Detection 404.

Turn on and set time 5 minutes

Protection against Brutfors-Attacks

Protection against bruthet attacks with cookies.

Do not include if you do not want to experience problems with different kinds of devices.

Captcha on login.

I do not know how you, if you want to turn on, turn on. I did not do this.

White list for login.

Do not turn on. Surely you will enter your blog with different devices, places and ip.

Barrel with honey.

Turn on

SPAM protection

Spam in the comments.

CAPTCHA in the form of comments -Do not put. Blocking comments from spam bots -Put

Buddypress.

Adds CAPTCHA in the form of Buddypress. No need to use.

Scanner

I understand the damage process when hacking. Hackers change some files in the system, not finding who attempts to restore the site are not crowned with success. So, with this feature, you can track what exactly changed in the near time. I just admire ... turn on automatic file scanning.

Scanning from malicious programs.

For it you need to pay.

Service Mode

Please pay attention to the meaning of this service. Enable maintenance mode means Turn off your site at all. He will not be visible to anyone, including robots, respectively, will not be indexed. Therefore, have this in mind and do not put this tank without an acute need.

Your humble servant disabled the site for 2 days, until he noticed the fall in attendance and the search for the cause.

In the text box, write that visitors will see at the time of disconnecting the site.

miscellanea

Here I understand only copy protection. Galka do not put, let them copy everything, it is so nice)))

Result

The plugin we set up. Go to the control panel and see a new level of security. I am sure he became much higher than it was. Now you can be calm for the security of your site.

And also, that is characteristic, you will look here regularly, which they did not do before with this kind of plugins.

Use, live and work calmly and productively.

See you in the network!

Hello everyone! Today we will talk about the security of WordPress. I recently published an article in which I told about. Today from words to action. . And in this article I will tell about the All In One WP Security & Firewall plugin. This plugin provides most site security points. What drives almost all the blog security setting to setting one plugin. And he is almost entirely Russified, which is important for many users.

The first thing to do is to create a full backup of the site. This plugin is quite large and serious. Install plugin in conventional method. Go to the Blog Admin Panel, go to the plugins, click on the button "Add New". In the search string, enter "WP Security". Install the desired plugin. Then activate it (Fig. 1).

Fig. 1. Installing a plug-in AL IN One WP Security & Firewall.

Control Panel

After installing the plugin appears in the admin menu called "WP Security". The first submenu is "control panel". Here is a summary information on site safety (Fig. 2).


Fig. 2. Control Panel Al In One WP Security & Firewall.

Let's figure it out in more detail. There are several bookmarks on this page.
Control Panel. The first tab of the same name with the submenu. Summary statistics are provided here. The site security level is measured in points ("security meter"). For each correctly configured segment assigned points. Total you can dial 480 points. This means that you have done everything you can. It is not always required. For example, in this plugin there is an opportunity to configure backup Database. If you set up a special plugin for backup, then you do not need to do this further. My blog from an example with a good user (login is not admin, the displayed name is different from Nick), and when you install the engine, I changed the table prefix. Here for this I immediately have 30 points out of 480.
Next tool "Your Site Safety Chart". All scored points are presented in the form of a diagram. You can see what percentage of the total number of points is one or another setting.
The following two blocks are useless: "Tell your friends" and "Get to Known The Developers", which is translated as - get more information about developers.
"The last 5 authorization." This window will have a list of the five latest blog entries with information about who entered and when.
"Active sessions". This window displays who is now on the site (in admin) with the rights more than the usual visitor.
"The current status of the most important functions." The window displays the functions that must be turned on.
"Service Mode". This window has a switch to turn off the site. Visitors will see the information text instead of the site. This feature is needed if you spend any technical work on the site.
"Blocked IP Addresses". When you configure the locked IP addresses, locked IP will be displayed here.
System information. It contains information about the site, about the system on which the engine works, as well as a list of active plug-ins.
Blocked IP addresses. Blocked IP addresses and information about them are described in detail.
Permanent Block List. List of temporarily blocked IP addresses. For example, you can block the IP for an hour for 3 unsuccessful attempts to enter the admission password to avoid selection of the password.

Settings


Fig. 3. Settings of the AL IN ONE WP Security & Firewall plugin.

In this submenu, several bookmarks.
General settings. At the very beginning, we are offered a few references that create backup copies of the database and some files. And then the 2 button shutdown of safety and firewall functions. These buttons remove all the settings of the plug-in made on the blog to improve security. In essence, it is a rollback in the initial state, Before the settings of the plug-in on the site.
.htaccess file. In this bookmark everything is simple. Creating a backup file.htaccess and recovery.
wP-CONFIG.PHP file. Just as in the previous paragraph. Creating a backup file and recovery from it.
WP Version info. From this point on, this is the true setting of blog security. If you remember, in the article about the security WordPress, I told that the engine displays information about the version in the meta tag of the blog. If you check the "Delete Music Data WP Generator" checkbox, then the information about the version of the engine will not be displayed on the blog pages. And get +5 points to security.
Import Export. The plug-in settings can be saved separately and restore if necessary or for transfer to another blog.

Administrators

User name WP. I recommended not to use standard logins. Plugin recommends the same. If you have ADMIN login, create a new administrator, and Admin delete.
Display name. In the account settings, you need to configure so that the displayed name does not coincide with the login.
Password. An interesting calculator. You can enter your password and learn how much time it takes home computer For his selection. But note that servers are usually used, and sometimes a server group (clusters), which significantly speeds up the process of selection of the password.

Authorization

Lock authorization. But my favorite bookmark. Put the checkbox "Enable an authorization attempt block options to block failure input attempts - password selection. All settings are intuitive. Customizable how many incorrect attempts over time is considered an attempt to hack. And sanctions on this. You can immediately block the user with incorrect login (I do it). Usually begins with the selection of login. And specify your mail. With unsuccessful input attempts will come a letter. White lists are also configured for login and ip if you go with a constant IP, you can configure.

At this stage, I recommend to stop and watch several days over the situation. If you are interested in how interesting your blog is interesting for hacking, and whether the password selection is maintained to your blog, then do not set up the rest of the settings for a while. Personally, I was surprised when there was very strong interest to my new site.

Erroneous attempts by authorization. The tab on which information about erroneous authorizations is presented. Login error log.
Automatic splitting of users. Here you can configure the time through which it will be aligned. A bit uncomfortable, but if cooks are sang (a fairly common type of hacking), then with the authoring of cookies will not be able to use, as they will be outdated, and the entrance sessions are closed. Who did not understand, nothing terrible, just believe that so safer.
Account activity magazine. Very useful bookmark. Look here from time to time. Who, when, from whereas the blog was logged.
Active sessions. And this tab displays authorized users who are online now.

Registration of users

Manual confirmation. If you can register on the site (you, by the way, you can not know about it), you can make manual registration of registrations.
CAPTCHA during registration. Put the checkbox for the use of capping during registration.
Registration Honeypot. A certain tab on the registration page, which will only react to the bot. A person will leave without attention.

Database protection

Prefix Tables database. If during the WordPress installation, you have not changed the table prefix, the plugin will help you do it. Just make a backup before conversion.
Backup database. The plugin proposes to create backup copies of the schedule database. I consider the lack of a plugin that it can back only the base. Therefore, I prefer other means to create full backups. But this plugin regularly makes the database backups and send them to mail.

File System Protection

Access to files. On this tab, you need to configure the access rights to files so that you cannot change important files from the scripts.
Editing pHP files. At your discretion. Personally, I turn off the opportunity editing php. From the admin panel. I prefer.
Access to WP files. This tab does not allow access to the readme.html, license.txt and WP-config-sample.php files. Readme.html files, License.txt is better to remove.
System logs. At this bookmark, you can not go to hosting, and directly from the admin panel viewing system logs. You just need to clarify the Hoster, where they lie and what are called.

WHOIS-search

The meaning is so. The plugin has a geolocation base. When analyzing threats to the site, we have information from which IP address an action (attack) occurred. On this tab, you can see the detailed information about IP.

Black list

Ban users. Be careful with this option. A lot of users go online under dynamic addresses. And the fact that an attack takes place with any IP does not mean that in a week this IP will not be assigned to another user who will not be able to get to your site. I had it. I could not register on the site, because my IP was in the blacklist. I had to solve the site support. And my IP is issued to me by the provider, and changes periodically.

Firewall

Basic rules firewall. This page activates the basic functions of the firewall, and the remote XMLRPC procedure call is turned off. This technology is mostly needed for interaction. mobile applications and blog. If you do not use her, feel free to disconnect.
Additional firewall rules. On this bookmark, I do not all turn on. For example, why prohibit comments through proxy. It is a normal situation that the visitor has the Internet through proxy. The remaining settings are needed. The prohibition of the input in the address bar of the prohibited characters is the desired option. Ordinary users No need to enter non-standard queries.
6G BlackList Firewall Rules. Set of standard blog protection rules. I do not want to go into details that this is why it is. If you do not understand what it means, simply activate the standard firewall rules.
Internet bots. Some scanners give themselves for Google bots, which are allowed to scan the site. Firewall in most cases can track it.
Prevent hotels. Very useful option. Sometimes the article refers to an image that lies on your site. The user clicks on the picture, and actually traffic comes from your blog, and not from where I was clicking on the picture. It is necessary to get rid of yourself from such an excess load.
Detection 404. When the site analysis and selecting parameters begins, the attacker often falls on page 404. This is due to the fact that some parameters of vulnerability in scripts are selected. And as a rule, this is a whole sequence of entering a non-existent page, you can even say a squall. This behavior is monitored and blocked.
Custom Rules. You can manually register the rule.

Protection against Brutfors-Attacks

Rename the login page. Some hosting providers rename themselves the entrance page to the admin panel. This is a very important point. I recommend to rename:

Login page address (URL): http: //vash_site.ru/secretpage

Now, in order to get to the admin instead of:
http: //vash_sayt.ru/wp-admin.

Use
http: //vash_site.ru/secretpage

Protection against bruthet attacks with cookies. The plugin uses cookies to track a large number of erroneous authorization. You can block such attempts.
Captcha on login. You can use capping on different pages. I do not use this option in the plug-in using a separate captcha plugin. I did not really like the captcha plugin - too primitive.
White list for login. If you have a static IP address (meaning the address of the computer from which you go to the admin), then you can register your IP into the white list and no plug-in sanctions will be applied to it.
Barrel with honey (Honeypot). A certain hidden object (field), which will only react to the bot, from a person this field is hidden.

SPAM protection

Spam in the comments. You can use the captcha in the comments. And also there is an interesting and useful feature of blocking spam bots. Spam bots are usually scripts that are performed somewhere on your site. And the user fills the comment form on your site. It is very easy to track and cut off.
Tracking IP addresses on spamming in the comments. The plugin can independently decide that the comment is spam and block the IP address. It is difficult to say how much it is right. If a small number of comments, then you can manually cut off.
Buddypress. Integration with Buddypress plugin.

Scanner

Tracking changes in files. Cool function. I really like her. Any change in any file when scanning will be detected and sent to the post in the form of a report. Viewing changes can be understood what happened.

Service Mode

Blocking access to visitors to the site. You can stop access to the site, and output some text. For example, in technical work.

miscellanea

Copy protection. Interesting function. If you want, you can lock the right mouse button on the site.
Frames. When you try to display the site, as part of another site in the frame - the plugin will block such an action. note that this setting affects the work of the Yandex.metric webmith.
Users Enumeration. You can find out the user through the request of the form:
http: //vash_domen.ru? Author \u003d 1
This option limits such requests.

A little humor
Wife calls her husband to work to chat.
Husband: - Sorry, dear, but I have a throat for affairs today.
Wife: - But, cute, I have news for you: good and bad.
Husband: - Okay, I don't have time now, tell me only good news.
Wife: - Well ... in general ... airbag is working.

Successful mastering material.

Recently, rebranding and major update of one of the most successful and powerful plug-ins took place for wordPress protection-sites. And despite the warnings of the developers, this update passed without a bitch and zadorinka (at least most users). It was not even necessary to carry out the manual reactivation of the plugin, the need to be warned earlier.

In detail about changing the name and about what we expect from IThemes Security in the future, I already wrote in. Now I want to submit you instructions for its detailed configuration. This manual is especially useful will be to those users who do not understand the technical English very well (the plugin has not yet been translated into Russian, even partially, as it was before) and some specific technologies.

As always in their articles before proceeding to the procedure "Click there, click here."I suggest familiarizing yourself with the theoretical part. Or rather, what is able to do and what new features acquired IThemes Security. Those who are already familiar with this plugin for a long time, or those who are not interested in it, can immediately go to the second part of the instruction.

Opportunities of the iThemes Security plugin (Ex-Better WP Security)

Everyone knows that the main task of IThemes Security is to protect blogs on WordPress from all sorts of attacks. And this defense must be said, very high quality and powerful. On the this moment Plugin has in its arsenal more than 30 ways to ensure safety. And his developers do not hesitate to call their brainchild "No. 1" among such plugins.

Yes, I immediately want to indicate one important detail - safety of anything else is never achieved by some one tool. Security is always whole complex measures. It should be understood that only installation of iThemes Security (or any other similar plugin) cannot guarantee you one hundred percent protection of the site. Therefore, it is always necessary to remember the basic principles of protection - compliance with Internet hygiene, cleanliness and preventive protection of a computer from malicious software, etc. etc. Also do not forget about the human factor.

The main functionality of IThemes Security can be divided into several blocks.

Hide and removal (obscure) all that can carry a potential danger

  • Changing the URL of the entrance page to the administrator is a very useful feature, and in something even unique (in general in iThemes Security, as in the early Better WP Security, a lot of unique features).
  • Away Mode - complete locking of the admin at the specified time.
  • Deleting Windows Live Write and RSD headers.
  • Ban notifications about updating WP, themes and plugins.
  • Changing the username "admin" if it is used.
  • Change of default ID (1) administrator and prefix (WP_) Tables database
  • Changing the WP-Content directory.
  • Hiding the output of errors with incorrect login / password input.
  • Display for non-admins of random versions of plugins, the same nuclei.

Protect (Protect) WordPress Site

Hiding some parts of the site is a very useful functionality, but it cannot prevent all attacks. Therefore, among the features of IThemes Security, there are, of course, and the defense methods - blocking "bad" users, increase the safety of passwords, and so on.:

  • Site scanning and instant notice of weak places with vulnerabilities, and the same rapid elimination.
  • Blocking problem User Agent., bots, etc.
  • Protection against passwords (BRUTE FORCE) by blocking users and hosts, after multiple unsuccessful attempts to enter the admin.
  • General Improving Web Server Safety.
  • Forced use of users with reliable passwords.
  • Encryption (SSL) admins and any other pages and records (need SSL certificate and server support).
  • A ban on editing the engine files, themes and plug-ins.
  • Detection and blocking various attacks on the file system and site database.

Detect (Detect)

  • Monitoring file System from unauthorized changes.
  • Detection of various "spiders" and "bots", which scan the site in search of vulnerabilities.
  • E-mail notifications on cases of blocking users and hosts.

Recovery (Recovery)

iThemes Security makes regular backup copies of the WordPress database (on schedule), which allows you to quickly return the source state of the site in the case of its compromise. Unfortunately, the basic version of the plug-in does not support the full file backup. But this feature is available in the cost service of the IThemes - BackupBuddy.

Other advantages

  • The ability to create a simple to memorize the admission page of the administration (you can specify any address that will be easy to memorize you).
  • Error detection 404, which is important not only in terms of security, but also in terms of SEO (broken links to pictures, non-existent pages inside the site, etc.)
  • Deleting the current used version of jQuery and replacing it on topical and secure (which is supplied by default with WordPress).

New IThemes Security features

  • Prohibition by pHP execution In the download folder (Uploads).
  • Preventing the creation of identical username login (displayed on the site).
  • Hiding archives of authors who have no single recording.
  • Advanced options for sending notifications
  • and etc.

Well, here is such a functionality at the moment there is an iThemes Security plugin. It is unlikely to have serious competitors. The only one, in my opinion, the nearest competitor is. Only he is more "capricious" to the configuration of the web server, and is designed, rather, for advanced users.

So, with the capabilities of the plugin figured out, it's time to proceed to configure it.

I advise you to take into account another article -, with a review of new options that are not covered in this instruction. In addition, relatively recently I learned that a wonderful girl named Jeanne Lira has already made a transfer of a plugin and shares it completely free of charge with readers of their blog. If you need Russian localization, you can take it

Installing and configuring the iThemes Security plugin (Ex-Better WP Security)

Installation for new users occurs as usual. Who is more convenient (about various methods Installations of plugins WP can read). The plugin page in the WordPress.org repository is still the same - https://wordpress.org/plugins/better-wp-security/. I do not know if it will change in the future.

When searching from admin, plugin is available by name iTHEMES SECURITY (Formerly Better WP Security)So at the moment it can be found in a new name, and old. How long will this option be the name, I also do not know.

So, we find it, install, activate. And first do you see such a picture:


We are interested in button " Secure Your. Site. Now"(secure your site now). We click on her, and we are encountered by the primary settings window "I.mPORTANT. FIRST. Steps."(Important first steps):


All these basic settings You can skip and make them later manually. To do this, in the lower right corner there is a link "Dismiss" (deflect). But I recommend to produce them now, automatically.

So, we see 4 buttons:

  1. Back Up Your Site - Back up the site database. It is recommended to do it again (Although before installing the plugin, you had to make a backup independently).This copy will be created and sent to your administrative e-mail with the means of the plugin itself.
  2. Allow File Updates. - Allow updating files. It is about editing the WP-config.php i.htaccess files that is required for the correct operation of the plugin. This button allows it to make automatic secure update of these files.
  3. Secure Your Site. - Confine your site. Use the button One-Click Secure (One click Security)So that the plug-in activate the default settings. Moreover, only those functions that do not have conflicts with other plugins will be activated. Everything else can be configured later.
  4. Help US Improve. - Help us become better. This button activates the function. anonymousdata collection about the features of your site (probably the WP version, installed plugins that have arisen conflicts, etc.) in order to improve the plug-in in the future. Once again, I will make the emphasis on the fact that the collection of statistics Anonime, and IThemes does not identify users by it. Decide yourself, include this option or not.

In general, press alternately at least three buttons out of four (instead of each of them will notify the successful action). Then click on the "Dismiss" to close this window.

Now you need to configure our iThemes Security more thoroughly.

All plug-in settings are in the control panel ( Dashboard.):


From above, as you see, there are tabs for which the main navigation on settings is carried out. On the main tab - Dashboard - there are several blocks. For convenience, they can be folded. You can also change them in places. In general, there are various overview and notifications. And in the right part - advertising offers from IThemes.

I will immediately say that we will not configure iThemes Security via the "Fix IT" buttons, but on the next tab. But still, let's run and see what we have here:

Getting started

Here is a short video configuration, as well as a link to the developer's website, where you can get help or acquire a PRO version plugin (as well as other products and services). We will not look at their video (my article is on what? \u003d)), Especially since it is in English. So, we turn this tab so that it does not interfere with us now, and drag it to the bottom (if you want).

If you have a desire and need to see the Russian-speaking video on updating and configuring iThemes Security, go to the site to Dmitry at the specified link. He very promptly released the current video constructions, for which he is a big respect from many Runet bloggers! (And with me reference as a sign of sincere respect)

Security status

This is perhaps the most important unit on this page. Let us dwell on it.

In this block, there are also tabs that indicate the degree of criticality of notifications - High (high),Medium. (average),Low. (Low). There are also two tabs - All (all on one page) andComplete. (Ready, i.e. What the plugin has already done / corrected).

High Priority (High Priority) - It is noted with a palenozing color and implies the need for immediate correction.


In my case, as you see, just one note is the need to configure the backup of the database on schedule.

Well, let's use the magic button "FIX IT" ("Refix", fix).

We immediately move to the second tab with the basic settings ( Settings), In the backup settings section. And it is indicated that item you want to fighter. In my case is Schedule. Database Backups. (Schedule for BD reservation). We note the checkbox (1), indicate the interval (2) and we save the changes to the button Save Changes. (3).


Previously, the schedule could be configured so that backup copies were made at least every hour. Now the minimum interval is 1 day.

After moving back to the Dashboard tab and see that there are no more comments with high criticality.

Can be in the same way to go further - on points Medium. Priority and Low PriorityAnd also use the FIX IT buttons. But, we will use the other method - we will manually set up, on the Settings tab. If you are more convenient to do it from here (with Dashboard), then without problems. There is no particular difference. Just on the main plug-in page, everyone can have different notices. Therefore, I will configure iThemes Security directly through the settings. (and indeed, so more convenient and correct, it seems to me)

But before that we quickly run through the other Dashboard information blocks.

Active blocking

Here the plugin will inform us of which nodes (i.e. IP addresses of bots or living people) or users (those who are registered on the site) were blocked for various unacceptable actions.

System Information

There is an active user information (ie about you) - your IP address and User Agent. Also indicated here:

  • The absolute address of the site and the root folder on the server
  • Is it available to write files.htaccess and wp-config.php
  • Information about DB, Server and PHP
  • Some WordPress settings
  • Used Bild ITHEMES Security (the assembly version that will need to specify when contacting the support; Bild version differs from that version, which is indicated on the plug-in page - these are a bit different things)

Released Rules

Here will be information about exactly which rules prescribed the plugin to file.htaccess

Rules for WP-CONFIG.PHP

Similar to the previous item, only for another file, as you understand.

For myself personally, I changed these blocks a little bit and all of them turned. In this way, main page The control panel of the plugin now looks more compact, and it opens faster:


All plug-in settings are contemporated in separate blocks (sections). For convenience, they can also be folded or changed by places. There is also a drop-down menu for fast navigation By sections. Also, this menu will always accompany you on the right side of the viewing area, in the form of a floating block with a drop-down list.


Let me remind you to immediately that after making changes to any of the sections, it is necessary to persist ("Save. Changes")

Global settings

The first point here is Write to Files. - Record to files. This item is already noted, and the "tick" does not need to shoot in any way (!). Otherwise, you prohibit the plugin entry into files.htaccess and wp-config.php, thereby all created rules and configuration parameters will have to be prescribed manually.

The following two points is an indication e-mail addresses For notifications Notication Email) Bacapov (Backup Delivery Email) . Moreover, the addresses can be specified different; You can add several addresses. Each e-mail should be prescribed from a new line.

In field " Host. Lockout Message." You can specify a message that will be outlined to those who have been blocked by the plugin. By default, it is concisely indicated "Error". You can show creativity and write something original. But there is no point in this, because Basically, all kinds of bots will be blocked.

In field " User. Lockout Message." You can register a message that will be displayed for those registered on the site users, whose account will be blocked for unsuccessful attempts to log. You can leave a default message " You. have been locked. out. due. to. too. many. login. attempts."(" You were blocked because of a large number of input attempts ").

BlackList Repeat Offnder. - This is a black list of "recidivists", i.e. Those who regularly try to choose a password or make other prohibited actions. By default, the function is activated, and I do not recommend turning off it.

BlackList Threshold. - Threshold for making an IP address in blacklist. That is, then the number of user locks or host, after which the IP address of the intruder will be permanently added to the blacklist. Default value \u003d 3. This means that if someone got three locks for trying to pick up the password to the administrator, then it goes to the blacklist.

Blacklist Lookback Period. - The period for which the violator is sent to the ban. It indicates the number of days, which the violator will be in the blacklist. This value can be enlarged (by default costs 7 days).

Lockout period. - Locking period. The duration of time (in minutes), during which the host or user will be blocked after the primary disorders (without applying to the blacklist).

Example: For example, someone tries to pick up the password to the administrator, makes some unsuccessful attempts and is temporarily blocked to the specified number of minutes. If after unlocking it does not stop its attack, and it gets two more (if the BlackList Threshold is indicated 3) Time locks, then it goes directly into the blacklist.

Lockout White List. - White list. Here you can specify IP addresses that will not be entered into the blacklist. If you have a static Aypishnik, it is advisable to register it in this field so that there are no potential difficulties with access (you can register in the white list with a dynamic IP address).

It should be noted that if you activated the mode of Away Mode (after him later), then the time specified in it, you still can not get into the admin. Rules of the Away Mode Priority White List.

IP addresses in White List are written in standard IPv4 format - for example, 123.123.123.123. It is also allowed to use a symbol (*) to specify the address range. For example, a record of the form 123.123.123. * It will mean that all IP addresses starting from 123.123.123.0 and ending 123.123.123.255, will be allowed. It is convenient if you do not have a static Aypishnik.

Each IP address or subnet should be made from a new line.

Email Lockout Notifications. - sending letters to the specified in the field Notification email emailwhenever a host or user site will be blocked.

Log Type - Logging type. Here you can specify which magazines will keep the IThemes Security plugin. Three options only database (Database Only), only file logs (file only) or both types (Both).

Each of these options for recording events has its advantages and disadvantages.

  • DatabaseONLY. - All changes made to the database will be recorded in the log, such as a new post, new comment, etc. Also login will be the creation of backups. Why it is necessary to the ordinary user, I do not understand. I advise not to use this mode.
  • File ONLY. - More useful logging option. Miscellaneous error 404 will be recorded, file changes (with an active option), etc. I recommend using this mode.

Keep in mind that any entry to the server disk (and logging is, naturally, the entry) causes an additional load. Well, the logs themselves take place, of course. It is strange that in the plugin there is no possibility to completely disable journaling

Days. to. Keep. Database Logs. - How many days to store the BD magazines. If you did not activate the Database Only logging mode, then there is no difference as the number of days to point in this field. Because the file magazine will still be kept unlimited time, but with one important condition - Upon reaching size in 10 MB, the file will be overwritten. A good innovation, because before, some users have eaten a huge amount of disk space, and their (logs) needed to be cleaned with enviable regularity. Manually.

Path. to. Log. Files. - path to log files. Everything is clear here. There is only one note - the specified directory must be available for recording, and one recommendation - for security purposes, you should not store logs at the root of the site. In short, we leave everything as it is.

Allow. Data. Tracking - Allow collection of statistics for iThemes. This is the most about what we have already spoken earlier. Want - turn on, you want - no. Once again I remind you that the data is collected and departed anonymously and they will benefit in the development of the plugin.

Well, with Global Settings figured out. Go ahead. Oh, how much I still write, and you read \u003d)

Error detection 404

This function is to collect information about how the hosts are multiple times with the error 404, and in their locking accordingly. This analysis is important for several reasons, the main of which is to prevent scanning on the subject of existing vulnerabilities.

This option also gives an additional advantage, helping you find hidden problems, causes of errors 404. This may be, for example, some "broken" pictures or non-working internal links. All errors will be recorded, and you can see them on the "View logs" tab (Logs, Logs).

First of all, in this section, we see some information about current blocking settings (all this we set up in the global settings block). I, for example, it looks like this:


Enable 404 Detection. - Actually, activation of this function.

Minutes. to. REMEMBER. 404 Error (Check. Period.) - The number of minutes (control period) during which locauts will be counted. Default value for 5 minutes.

Example: Some bot / parser "hammer" site in finding various vulnerable files and pages, and not finding them, gets in response errors with code 404. Doing it, suppose within a minute, then stops for a minute, and starts again . The plugin all these actions will remember and will soon receive the ban.

If, let's say, the bot "hacked" 30 seconds and left the site for 10 minutes, then with the next visit, the plugin will be considered it for the newcomer, and the past "merit" of this host will not remember.

Therefore, default value can be slightly increased (for example, up to 10 minutes).

Error Threshold. - Threshold for permissible errors. Number of errors (within the control period) upon reaching which there will be blocked. If you set a value of 0, then the error entry will occur without locks (this option should be used only for debugging purposes, because it will not be prevented by scanning vulnerabilities).

The default value \u003d 20. I do not think it is worth it to increase it, because 404 errors can be given not only in suspicious actions, but also, for example, if the site has no FAVICON, or, etc.

And here very by the way, a good innovation appeared in IThemes Security - exception list (White List) for errors 404. The most famous are already added to it. general filesThe absence of which causes error data:

This list can be complemented by other well-known files. But the more correct decision will put everything in order - create a Favon, Apple-Touch-icon.png, robots.txt, sitemap.xml, etc. After all, the White List does not prevent server errors. And how you already know any entry on hDD - These are additional loads.

No / Guest Mode

This mode allows you to completely disable access to the WordPress adminpanel on the specified days or hours. It can be very useful, and certainly will not be superfluous in terms of additional protection.

How it works? Suppose you never go to the administrator at night and early in the morning. Or, let's say you leave for a vacation, and you know exactly that at this time you will not use the administrator. Why then do not disable it at all for these hours or days? Right? Right.

Before you activate and configure this option, remember that the time zone used on the site may differ from your real time zone. So, make the Away Mode settings based on the global settings of the site itself.

So to enable guest mode, celebrate Chekbox "Enable Away Mode" .

If you choose Daily, two parameters will be available to specify the time interval - Start Time (Starting time) andEnd. Time (finite). Time is indicated in a 12-hour format. Am - before noon; PM - afternoon.

Example: If I want to block the admin panel from 2nd night to 7 in the morning, then I specify - from 2:00 am to 7:00 am. In general, google, if necessary. On the Internet there are services and tables of compliance of 24- and 12-hour formats.

If you select a uniform lock mode, you need to specify the date and time of its start, and the date and time of its end. All ingenious is simple.

Blocked users

This feature allows you to completely prohibit access to the site to certain hosts and User Agent, which will benefit on countering spammers, parsers and other unclean people and bots.

First of all, we are invited to connect the base black list of famous problematic User Agent, created by the HackRepair.com group.

In general, what is User Agent? In our case, this is some information on which the web server identifies the host applied to it. It contains the used browser, OS, and so on. The search robots have their own user-agents, in spam bots and various parsers, etc. Based on the well-known unwanted User Agent, similar Blacks are used.

You can see your User Agent (UA), for example, on the site http://whatsmyuseragent.com/. Try to enter this page with different browsers And pay attention to the difference UA.

So to activate the basic blacklist note the parameter "Enable HackREPAIR.com" s BlackList Feature " . If you need the most recent and complete list of "bad" user agents and hosts, it can always be taken on the page http://pastebin.com/5hw9kznw and add to file.htaccess

There is one remark! Recently seen the info that this option is better not to activate, because This may entail blocking some search robots. Personally, I have always been connected to this blacklist and I did not observe either in Ya.Vebmaster, nor in Google Webmaster any problems with the access of these spiders to the site. So, I recommend that this feature is activated. In addition, you can analyze this list and make sure that it does not present the identifiers nor Google nor Yandex.

In addition to the default blacklist, there is an opportunity and manual blocking of certain hosts or UA. To do this, you need to activate the option "Enable Ban Users" After that, three input fields will be available to us:

  • Ban Hosts. - Lock hosts. You can always make any IP addresses from which you regularly go to your website or spam.
  • Ban User Agents. - Block UA. In most cases, it is not necessary to replenish this list of manually necessary, a basic list with hackrepair.com. But if you suddenly find a constant attack from certain UA, then why not take advantage of the possibility of their lock.
  • Whitelist Users. - White list. You can make your IP address.

IP addresses in these lists are entered into the same principle as in the Lockout White List.

Protection against Brutfors Attacks

A very important feature that is an additional shield over the change of admins URL. And if you do not use the submenu of the entry page into the admin panel (a little later), then this function becomes not just an important, but archiving. Moreover, it allows you to abandon additional plug-ins performing the same task (Limit Login Attempts, Login Lockdown and others).

By default, the option is already activated. And if for some reason "tick" near "Enable Brute Force Protection" Not installed, put it.

Parameter " Max Login. Attempts. Per. Host." Responsible for the maximum number of attempts for one host. Default value \u003d 5. That is, if someone 5 times in a row incorrectly enters a login or password, then it will be blocked at the specified time.

" Max Login. Attempts. Per. User." Responsible for the number of attempts for a specific user. I.e. if someone knocks on its username (or the attacker knows the login existing on the site), but it becomes wrong with the password, then this user leaves account). The default value is 10 attempts.

And the final parameter in this settings block - "Minutes to Remember Bad Login (Check Period)" - The control period during which the plugin will remember the unsuccessful attempts to log in. We also leave 5 minutes. If you wish, you can increase this value.

Backups (backups) databases

It is known that one of best ways Protection and elimination of the effects of attacks are backup copies. Each blogger or website owner is simply obliged to have daily backups of the database.

In most cases, bloggers shift this task to hosting. But, as they say, AIDE TOI ET Le Ciel T'aidera. So, in addition to hosted backups, you should always have a backup option. Someone uses special plugins and scripts for this, but why? After all, iThemes Security copes with this task by 5+

So, the first parameter here is "Backup Full Database" - This is the mode of creating a full backup of the site tables. If you activate this option, then absolutely all tables will be added to the backups, which may not relate directly to the site (for example, some third-party scripts, etc.). For every fireman I recommend it to take advantage, although it is, in general, and not critical.

  • Save. Locally and. Email - Store backups on the server and send them by e-mail
  • Email ONLY. - send only by email
  • Save. Locally ONLY. - Store only on the server

I recommend using exclusively Email ONLY. (if your database is not very big sizes) . Because to store backups on the same server where the site itself is located - it is meaningless; b) Cost of disk space.

If you decide to store backups (s) on the server, then in the field "Backup location" You can specify a directory for storing them (or leave the default path). In no case is not recommended to indicate root folder Site for these purposes.

Make sure you have an item "COMPRESS Backup Files" - This is a compression of backup files. Thus, the database file will be packed in the zip archive, which will significantly reduce its size.

Next, the indication of some specific tables that can be excluded from backups (EXCLUDE TABLES) . These include tables created by some plugins, and which do not always represent some real value.

Default in the field "EXCLUDED TABLES"included tables created by the IThemes Security plugin, and in the left field "Tables for Backup" - those tables that are created by various plugins (mainly different logs), but not related ( usually) directly to the content of the site.

If you are confident that some tables from the right field are not beneficial for the BD reservation, you can exclude them from the backups created. Thus, the size of the backup copies can significantly reduce. If you are not sure, then leave everything as it is.

In any case, remember that these backups may differ from the backups created by the hoster, because full backups of the database are created on the hosting. But, this does not mean that backups created in iThemes Security will be incapable. By no means.

Well, then the schedule is coming - Schedule Database Backups. . We have already spoken about him almost at the very beginning. I recommend putting the minimum possible value - 1 day. Thus, a backup of the site will come to your email every day.

Detect changes files

Even the best security solutions may fail. As in this case, find out what someone got administrative access To your site? Most likely, the attacker will change some files by entering their code in them. Tracking such changes and this feature is engaged.

Unlike other solutions, IThemes Security compares the files locally, since the last check, and does not twist them with "factory" files remotely.

After each check, you will know whether some changes have been made personally, or they appeared as a result of compromising. Pay attention mainly to various system files that suddenly have changed without visible reasons (There were no updates, you personally did not contribute to changes, etc.).

If it happens that it will suddenly be found on your site malicious codeThanks to this option, you will be easier to track when and where it could be added.

Press the button " File Scan. Now" To add files and primary scanning. If the changes are detected, you will transfer to the logs page ("Logs") to view the details. File change logs are in the section :


Return back to the settings. To activate daily automatic check File Changes, Mark the checkbox item "Enable File Change Detection" .

Next parameter - "Split File Scanning" - You can activate the separation mode of scanned files into the category. Total categories 7. This is plugins, themes,wP.- admin., wP.- includes., uploads. (downloads),wP.- content And the latter is all that does not fit into the previous categories. Checking these parts will be divided evenly during the day. From which it follows that this setting leads to an increase in the number of notifications, but at the same time it reduces the load on the server, which is particularly relevant on the "weak" hosting.

Why is it so important? Previously, when the file changes is enabled, so many notifications were lossed that many simply turned off this option. It was connected, including so that when using caching plug-ins, files on hosting are changing very often and in a large amount (cache). Now such cached files can be excluded from the check.

This is done so (on the example of a folder with the cache that the Hyper Cache plugin uses, other similar plugins are most likely using the same folder):


It is also possible to not exclude certain files and folders, but on the contrary, turn on only selected. To do this, in the drop-down menu, select "Include selected", And specify which files and folders you want to monitor.

In field " Ignore. File Types." You can specify various file extensions that will be ignored by the change tracking feature. These are the files of the pictures, etc. That is, it should not be text files (including PHP, JS, etc.), because It is in them that the malicious or other extraneous code is usually introduced.

Parameter " Email File Change Notifications" Responsible for sending notifications about the changes to the specified (s) in the global e-mail settings (s).

Function " Display file change admin. warning" You can enable / disable the display of notifications in the admin.

It is possible to choose both modes or some one. If you turn them off both, then you will not receive any notifications at all, but changes in any case can be viewed on the "Logs" tab.

Hiding the page of entry into the administration of the site

Another unique feature of the iThemes Security plugin, thanks to which you can protect your site from Bruthfors attacks.

It works as follows - instead of the standard URL of entering the admin (site.ru/wp-login.php) You can specify any arbitrary page, for example, site.ru/voydi_v_Menya.. Thus, it is unlikely that someone knows what address is the entrance page.

Also, this function is designed to facilitate the memorization of the address of the backend (so often called the site administrator), and finally refuse to use the META widget on the site.

To turn on this mode, check the box near "Enable The Hide Backend Feature" .


In field "Login Slug" (can be translated as "input for lazy") Specify the desired address to enter the admin. It can be any convenient and memorable word for you (or a set of characters). It is necessary to use here "Login", "Admin", "Dashboard", or "WP-Login.php". Also, I do not recommend applying any your nicknames on the Internet, date of birth, etc., because all this is very easy to calculate.

If after hiding the admin you have problems with access to it, then possible cause May be incompatibility with the theme. In order to fix it, use the option. "Enable Theme Compatibility" .

In field " Theme. Compatibility Slug." It is indicated by the address that will be displayed when trying to enter the admin standard address site.ru/wp-login.php (if the previous function is activated).

Well, tired? Be patient, it remains not very much \u003d)

Encryption (SSL)

Secure Socket Layers (SSL) is a technology that is used to encrypt data transmitted between the server and visitors to the site. If SSL is activated, it makes it impossible intercepting data for an attacker (Recently there is a lot of disputes on this account, but still the technology remains as sustainable as possible). Therefore, it is recommended to use encryption on password input pages and other data. Any, more or less large sites where the input and transmission of confidential information is used, use encryption (on such sites the address starts with https: //)

However, this mode requires your server to support SSL.

In no case do not activate SSL if you do not have a certificate, and your hosting does not support this technology for client sites. Otherwise, the site, the administration of the administration or the admin (depending on the selected settings) will not be available.

All this is relevant for those sites where registration is provided, there is a different kind of "batch", and, of course, for online stores, etc. For ordinary sites and blogs, the SSL certificate is usually not purchased. He is simply not needed, because all articles, comments and everything else, so are in open access. The only one where encryption may be useful for our blogs - this is the entrance page and the admin (With this we can protect yourself, for example, from the interception of the password at the time of its input).

In general, in 99% of cases, all this is not used by bloggers, so we will not consider in detail this section.

Reliable passwords

In this section, you can enable the forced use of reliable passwords as an estimate of the password-built in Wordpress.

This setting is practically not relevant for single-user sites, where access to the administrator is only at the owner (administrator), and where users are not provided. Moreover, you, my dear readers, for sure you know, and where to keep it (well, of course, in password managers, such as, etc.)

In other cases, it is recommended to specify the minimum role for which it will be required reliable password. As a rule, it is Authors, editors and administrators. For Participants and Subscribers Require a complex password does not make sense.

But, again, it all depends on the site. If you, let's say, online store, then require reliable passwords follows from any user who will be registered in it.

Well, we have left to deal with the last two very interesting sections ...

Thin tuning (tweaks) systems

it additional settingswhich can be used to further strengthen the security of your WordPress site.

These settings are specified as extended because they block the common attack forms, but they can also block the functions of legitimate plug-ins and those that have similar methods. When activating the settings specified below, it is recommended to include them alternately in order to verify that the work of the site did not break.

Protect System Files. - Protection of system files. Public Access Prevention rEADME. hTML, rEADME. tXT., wP.- config. php., install. php., wP.- includes. and.htaccess.. These files may contain important information About the site and public access It is not needed after the successful WordPress installation.

Disable Directory Browsing. - Disable directory viewing. Prohibits users to see a list of files in directories, even in the absence of them index file. (index.php).

Filter Request Methods. - Filtering of the TRACE, DELETE request methods, Track. I am not strong in PHP or in web server technologies, but I assume that we are talking about requests that can carry any unwanted function (eg, the ability to implement the XSS attack). If someone tells in the comments about this in more detail or correct me, I will be very grateful (and not only me).

Filter. Suspicious Query. Strings. iN. their URL - Filtering suspicious query rows in the URL. This is a very frequent sign that someone is trying to access your site. But, it should be borne in mind that some plugins and topics can also be blocked when the activation of this option is activated. (Be sure to check the performance of the site after its inclusion!). It will be very good if no problems arise, because This protection method is very important! If the problems still appear, then the best option will get rid of (if possible) from an incompatible plugin than not to activate this feature.

Filter Non-English Characters - Filtering non-English characters from the query string. This filter only works if the previous one is activated. But if the Russian addressing (names of articles, rubers, etc.) is used on your site, then this function is not worth it. Otherwise, the site can be inaccessible!

In general, if you are dealing with sites, with Web, with servers, linux, etc., it's time to get used to the use of non-Latin characters in some official purposes is extremely not desirable.

Filter Long Url Strings - Filtering long lines in the URL. Limits the number of characters that can be sent to the URL (no more than 255). Hackers often use long URLs to implement third-party information in the database (SQL-injection).

Remove File Writing Permissions - Deleting write permissions to files. This feature prohibits various scripts and users entry to the WP-config.php and.htaccess files. It should be noted that in this case, as in the case of other plugins, this protection can be overcome. But in any case, this ban strengthens the security of the specified files.

If the function is activated, then these files are set to 444. In case of disconnection, they are returned to 644.

Disable PHP in Uploads - Ban on the execution of PHP in the Uploads folder. A new feature that allows you to prevent the loading of malicious scripts to the specified folder.

So, we activated all (if possible) These features, and go to the last block.

WordPress tweaks

These are additional settings that can be used to further strengthen the security of your WordPress site. As in the case of system tweaks, due to some of these settings, incompatibility may arise and malfunctions in the site. It is recommended to include them also alternately.

Remove. WordPress. Generator. Meta. Tag. - Delete meta tag generator. Removes from the header of the meta tag which indicates the WP version used on the site. This feature is abolished with version 4.9.0.

In any of the WordPress protection manuals, the first thing is recommended to remove this meta tag, because Knowing the version of the engine, an attacker is easier to determine its vulnerabilities and vector attacks. Once we have done this manually, now everything makes ithemes security for us.

REMOVE THE Windows Live Writer Header - Deleting the Windows Live Writer header. If you do not use WLW or other platforms for writing and publishing articles on a blog, then this function can not be activated.

Really Simple Discovery HEADER - Deleting the RSD header. If you have not integrated your blog with external XML-RPC services, (eg, with Flickr), then the RSD function is to you largely useless.

Speaking easily, both previous options are cut out of the Header site approximately such lines:

XML-RPC is the standard (protocol) used incl. and WordPress to remotely publish articles and other data from third-party programs, platforms and services. If you do not use such functions (to them, by the way, various WP clients for Android and iOS are also recommended to disable this protocol. Due to the periodic appearance of new vulnerabilities in it.

Recent case: In mid-March of this year, regular powerful DDoS attacks were recorded using XML-RPC vulnerabilities. But not the WordPress sites with XML-RPC themselves, they were only used as repeaters to enhance attacks (i.e. performed as participants in the botnet).

I can be wrong, but if memory does not change me, more than 60 thousand WP sites have been discovered, which acted as bots for DDoS attacks due to this vulnerability. And their owners did not even suspect it. Yes, many are still probably not suspected. I even saw a link to a special service where you can check your site, whether it is involved in similar DDoS attacks.

That is why it is recommended to disable XML-RPC (if, of course, you do not use it). Previously, the WordPress Adminka had a special function for deactivation. Now it is not. Therefore, you have to manually tinker (on the Internet a lot of information on how to do it) or use the iThemes Security function to which we will come down soon.

Reduce Comment Spam - Reduced spam in the comments. This option will reduce the number of spam, blocking comments from bots that do not have a referrer or User Agent. It is unlikely that it can affect normal comments, so turn on without thinking. Elevator work.

Display Random Version. - Displaying a random version of WordPress where it is impossible to delete it completely. Actual for multiplayer sites.

Disable File Editor - Disconnect file editor in the WP admin. Do not use an internal editor? Completely disconnect.

Disable Xml- RPC. - Disable XML-RPC. The same thing we recently spoke. If you do not use remote publication tools, be sure to disconnect the XML-RPC.

Enqueue A Safe Version of JQuery - Installing the secure jQuery version. This feature deletes the current version of the JQuery library and replaces it to the safe (which is supplied by default with WordPress). If the version of this library meets the requirements of iThemes Security, you don't need to do anything:

Disable Login Error Messages - Disable error messages that are displayed with an unsuccessful login attempt.


Force Unique Nickname. - Forced use of a unique nick, distinguished from login.

DISABLE EXTRA User Archives - Disabling user archives whose number of records is 0.

Well, that's all the main settings. Now you can again go to the Dashboard tab, and look at the current notifications. In my case now they look like this:


It remains to go through the remaining tabs.

Advanced (Advanced) Settings

The settings below are advanced. Make sure you have a working backup site before changing any parameter on this page. In addition, these settings will not reverse, even if you delete the iThemes Security plugin (!).

However, all the settings used here are recommended by the WordPress.org community itself, and they will help in improving the safety of your site.

Admin. User. - Deleting the user Admin, if available. I never use the default login "admin" even on test sites. Therefore, here I have no options. There is only an inscription " IT. looks. like. you. have already removed. their admin. user.. No. further action. iS. necessary. (Looks like you have already deleted the useradmin.. No additional actions are required). Hope you also have.

CHANGE CONTENT DIRECTORY. - Change the content directory. In no case do not experiment with this feature! It is recommended to use it only on newly created sites. Otherwise, you simply lose all the contents of the blog (not physically, of course). And, as already mentioned, even the removal of the plug-in will help. Although it's easy to return everything to the circles (you need to fix the WP-config.php file slightly).

In general, it is possible to change the WP-Content directory on the already working site, but for this it will be necessary to make changes to the database, in some plugins, the engine files of TD. In short, the task is not for us - ordinary bloggers. But if you plan to create a new site, then select IThemes Security and try using this feature. In the future, it is necessarily useful.

Change Database Prefix. - Change the BD prefix. By default, WordPress uses the WP_ prefix, which can facilitate the task for the attacker. It is recommended to change the default table prefix.

Before the procedure for changing the prefix, be sure to back up the database!


Well, now everything is exactly \u003d)

It remains only to say that on the tab Backups. you can create a backup at any time. current status Database (button " Create. Database Backup." ), and also briefly familiarize yourself with the backupBuddy service.

If something is left not clear, or you have comments and additions, mercy ask in the comments.

To new meetings, friends. Take care of yourself and your sites!

Sincerely, Alexander Mayer

everyday great amount Sites are exposed to successful hacker attacks. are no exception and can become an easy target for attack due to the vulnerability of themes and plug-ins, weak passwords and outdated software. Therefore, in today's article, we decided to pay attention to such a topic as WordPress's defense.

Cost Bulletproof Security Pro.: $ 59.95 (one-time payment).
Official site - http://affiliates.ait-pro.com/

All in One Security and Firewall

The famous plugin to protect WordPress hacking. It includes additional firewalls for the site, provides various methods of protection and gives a report on them.

The firewall settings of this plugin are divided into three levels "Basic", "Intermediate" and "Advanced", which allows you to apply the firewood rules gradually without violating the work of the site.

The functions of this plugin (however, as in the rest in this selection), a huge amount will pull on a separate article. I will give here the main:

1. Account protection:

  • defines the ADMIN account and offers to change it to another at your discretion;
  • defines and reports accounts in which the username and username coincide - such accounts are easier to hack;
  • generates strong passwords.

2. Log in and registering on the site:

  • login Lockdown option - blocks users for a certain amount of incorrect login attempts;
  • makes forced output from the system for all users after a set time;
  • tracks activity in accounts of all users by logging information;
  • gives a report O. full list users who have completed login at the moment;
  • adds CAPTCHA to the form of login and registration form;
  • allows you to manually confirm each new registration on the site.

3. Database protection:

  • changes the database WP prefix to any other;
  • adjusts automatic backup.

4. File System Protection:

  • specifies folders and files with unsafe access rights and changes them to safe values;
  • prevents edit files with PHP code from the administrator control panel;
  • prohibits access to readme.html, license.txt and WP-config-sample.php files.

5. The firewall function allows you to use protection using.htaccess file. This file is processed by your web server before processing any site code, so the firewall rules stop malicious scripts before they appear the opportunity to achieve the WP code.

6. Prevention of bruthent attacks.

7. Safety scan:

  • tracking file changes and notifications about it;
  • scanning database tables for suspicious strings, JavaScript and hTML code In the basic WordPress tables.

8. Protection against spam comments:

  • tracking the most active IPs that constantly make spam comments and their blocking;
  • adding Captcha into WordPress Comments.

9. Protection of content from copying.

Cost: free.

WordFence.

This WordPress security plugin immediately after installation starts automatic scan to check if your site is already infected. Supports WordPress Multisites. Main functions:

1. Firewall:

  • protects against hacking, recognizing malicious traffic and blocking suspicious attempts to invade the system;
  • blocks common common safety threats, such as Google-bots, harmful scans with hackers and botnets.

2. Lock:

  • blocks entire malicious networks. Includes an IP and domain check using the WHOIS service and blocks malicious IP using firewall;
  • blocks such threats as aggressive search robots, scrapers and bots;
  • blocks and controls users who violate security rules on your site.

3. Login Safety:

  • input to the account using two-factor authentication;
  • allows you to use only complex passwords to administrators and users;
  • prevents bruthet attacks.

4. Safety scan:

  • checks the site on the vulnerabilities of type HeartBleed;
  • checks the basic files, themes and plugins on the repository of WordPress.org versions for integrity and safety;
  • allows you to view changes in files and correct them if there is a security threat;
  • checks for the presence of "black moves" that create security holes (C99, R57, Rootshell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, DIVE, DX, and many others);
  • scans for malicious programs and phishing URLs on Google Safe Browsing List in all your comments, posts and files;
  • scans for the presence of Trojan programs, suspicious code and other threats.

5. Monitoring:

  • looksides all your traffic in real time and creates a report on potential threats;
  • monitors the security of unauthorized changes;
  • tracks disk space. Many DDoS-attacks are aimed at consuming the entire disk space to provoke a refusal to work.

Cost: freeBut there is a premium version that includes: VIP-support, the scanning graph setting, password audit, as well as check the IP address of the SPAMVERTIZED site.

Price Premium Subscription - $ 8.25 per month. When paying for a year and the discount is more provided.

Sucuri Security

Sucuri Inc is a well-known organization that is engaged in web security issues with a specialization in WordPress security.

The Sucuri Security plugin includes the following features:

1. Security audit.
Tracks all the events associated with the safety of the site. Any change that can be qualified as a security threat, the plugin writes. Registration of actions occurs in the SUCURICLOUD-SERVICE for greater preservation. This ensures that no one can erase report data. If the attacker managed to bypass the security system of your site, then all the information information will be saved in Sucuri Security Operations Center (SOC).

This feature is especially needed for site administrators and safety experts who need to understand what and when occurs with the site. You can configure the Safety Notifications on Email.

2. Control the integrity of the files.
The plugin checks the compliance of the original (approved) file with the current and if it differs, then safety is might. Check is carried out for all basic files, plugins and topics.

3. Remote scanning of malicious programs.
This option is carried out using the Sucuri tool, which can be found on a free security scanner - Sitecheck.

4. Monitoring "Black List".
The plugin checks various "black lists", including:

  • Sucuri Labs.
  • Google Safe Browsing.
  • Norton.
  • Phish Tank.
  • McAfee Site Advisor
  • Yandex
  • Spamhaus.
  • BitDefender.

This is one of the largest lists that contain websites with security issues. If your site was found in this list, Sucuri offers an additional option for a fee - help to delete your site from the Black List with Website Antivirus.

5. Effective security enhancement.
The plugin ensures the safety of the site using: protection.htacess, restricting access to the WP-includees folder, checking the security keys, verification of PHP, changes in the database prefix, delete readme.html file and other.

6. Safety actions after hacking.
If the site hacking still happened, the plugin will offer:
update security keys;
Update passwords of all users;
Refresh plugins.

7. Firewall ( additional feature For a fee).
This is definitely the best feature that Sucuri offers. Firewall from:

  • DOS and DDOS attacks;
  • software vulnerabilities;
  • brutfors attacks.

Cost: freeThere are paid packages from $ 199 per year.

And what protection for the WordPress site do you use and what exactly do you like?