WordPress Security using iThemes Security

Jason Yingling | Lead DeveloperRed8 Interactive | red8interactive.com

@jason_yingling | jasonyingling.me

HHAM

• Hosting• Hardening• Access• Maintenance

WordPress Hosting

• Support for latest software• Optimized for running

WordPress• Malware scanning• Work with WordPress 24/7• Backups

Hardening

• Protecting your site from common security risks– Don’t use the ‘admin’ username– Strong passwords– Hide the login area– Brute Force Protection– 404 Protection– Malware scanning

Access

• Minimize number of administrators• Remove file editing from dashboard• Two Factor Authentication

Maintenance

• Keep WordPress up to date• Keep plugins up to date• Remove unused themes and plugins

iThemes Security

iThemes Landing Page

• Broken down into high priority, medium priority, and low priority

Global Settings

• Write to wp-config.php

• Emails for lockout notifications, file change warnings, etc.

Global Settings

• Error messages to display to locked out users

Global Settings

• Enables blacklisting repeat offenders• Good idea to switch these up from the

defaults

Global Settings• Enables blacklisting repeat offenders• Good idea to switch these up from the

defaults

404 Detection

• Blocks attacker for scanning for known vulnerabilities

Away Mode

• Allows for disabling access to the dashboard between certain hours

• Do you really need to be able to edit 24/7?

• Taking a vacation

Banned Users

• Enable HackRepair.com’s blacklist feature

• Enable Ban Users• Permanently bans

attackers IPs

Brute Force Protection

• Limit the number of bad login attempts before temporarily locking out the offending host

Brute Force Protection

• Switch it up from the default

• 4 Max Login Attempts Per Host

• 9 Max Login Attempts Per User

• 6 Minutes to Remember Bad Login

Database Backups

• Sends a database backup via email or stores on server

• Plugins– BackupBuddy– BackWPUp– WPmudev Snapshot– VaultPress

File Change Detection

• Allows you to include and exclude specific files that may change often

• Helpful to see what files were changed if an attack happens

Hide Login Area

• Change login url from /wp-admin

• Makes it more difficult for attacker to find login area

• Avoid using iThemes default /wplogin

SSL

• Requires SSL setup on server• Allows you to force SSL for Dashboard

Strong Passwords

• Enables you to force strong passwords for users for certain user roles

System Tweaks

• Some of this may be performed by your host

• Good idea to have on unless you know something conflicts on your site

WordPress Tweaks

WordPress Tweaks

WordPress Tweaks

Advanced Settings

• Change name of ‘admin’ user

• Change user with id of 1

Advanced Settings

• Change WordPress salts

Advanced Settings

• Change name of wp-content directory

• Not necessary on most WP specific hosts

Advanced Settings• Change database prefix to make your tables

harder to find

iThemes Security Pro• Allow you to temporarily bump a users access

iThemes Security Pro• More password

options• Password

generator on user profile

• Password expiration

• Force password change

iThemes Security Pro• Use Google’s

reCAPTCHA for login, registration, and commenting

iThemes Security Pro• Allow users to

setup Two Factor Authentication using Google Authenticator app

iThemes Security Pro• Log user activities at a certain role such as login,

saving content, and more

Locked yourself out?

• Login to your database via phpMyAdmin or a program like Sequel Pro

• Navigate to the itsec_lockouts table• Delete the row with your IP

Locked yourself out?

• Disable plugin via FTP• Navigate to /wp-content/plugins• Rename the ithemes-security plugin directory

Questions?

• Jason Yingling | Red8 Interactive• @jason_yingling• http://jasonyingling.me