Sucuri Security & iThemes Security Configuring Tips

November 9, 2014

Two of WordPress Most Popular Security Plugins : Sucuri and iThemes Security.


Here’s detail screen-cast video where I show you how to configure two of WordPress most popular and powerful security plugins. Sucuri Security – Auditing, Malware Scanner and Security Hardening and iThemes Security (formerly Better WP Security.)

I personally have found that using both these plugins together and setting them up correctly provides the best mixture of security with usability.

WordPress security is no longer an option; it’s totally necessary. There are about 80 million websites running on WordPress; basically this means that a lot of script kiddies have WordPress on their collective nasty radars.

So how do you keep your website nice and secure?

In this article I plan to go through 4 steps that I normally follow for my own and clients’ WordPress websites, which really helps to make them more secure.

However, I firstly would like to point out that there’s always a balance between security and usability. You can never make a public facing website 100% secure: that’s impossible. And even trying to make it 99% secure can lead to a website that is not useable.

You can make a website really secure, but in doing so you can make it a pain in the backside to administrate. What I will be looking at in this article are the things that I do that make site a lot more secure but don’t make you want to pull out your hair.

1) Having effective lookouts on your side

When Britain was ruled by Rome, the Romans built Hadrian’s Wall to keep out the barbarians – the Pict tribes of what is now known as Scotland – from their northern territories. They would have effective lookouts on watchtowers all along the wall.

Well, that is what you need as your first line of defense when it comes to your WordPress powered website. Your hosting provider should be your online lookout on the watchtower. This is why you should be fussy about whom you use as your hosting provider.

2) Put good and effective backups systems in place

Good backups are really important when it comes to security, but a surprising number of people don’t use them or don’t use them well. I’ve had clients with a number of different types of security plugins which made their sites very difficult to use and maintain, but when I asked them about their backup systems, they normally either had no effective backups or very out of date backups.

You should not rely on your hosting provider as your backup system. Your host’s backups should really only be used as a last recourse.

Here’s a video of Adii Pienaar, one of the founders of WooThemes, talking about how he and his business partners almost lost their company when their site got hacked. At the time, unfortunately their hosting provider had been hacked as well – with the result that all the normal nightly backups had been damaged and corrupted. WooThemes was lucky that they had an old copy of their website and database on a backup disc on a local machine.

3) Use SSL (Secure Socket Layer)

You might have not have noticed, but a lot of the leading websites like Twitter are now fully SSL, and I can only see this trend increasing in the next year. It has become quite cheap to buy an SSL certificate that not only covers a particular domain, but all the domains that you might have with a particular hosting provider. SSL proves that you are who you say you are, so customers can use your site with confidence.

Until about a year ago, you needed a static IP for each SSL certificate. However, if your hosting provider is running their servers on Linux, they now should be able to offer you SSL on static IP hosting. If they can’t or won’t offer this to you, maybe you should start considering a different host.

If you’re looking for really cheap but good SSL certificates, go to Namecheap. They offer some excellent deals, starting at $9.00 per year! You can install this on your hosting provider’s server, or your hosting provider should offer to do this for you with no arguments or high fees. If not, I suggest again that you should change hosting providers. However, I wouldn’t recommend Namecheap for your hosting provider.

4) Install WordPress security plugins


I’ll start with one plugin/service that I use when a client’s site has been really badly hacked. The great WordPress security company Sucuri makes this plugin, called Security and Auditing Malware. It will screen and detect malware which could have been installed on your hacked website, and you get a lot of the key functionality for free. If you want continue protection, you can pay $99 per year for a single domain license.

Sucuri will do a total scan and cleanup of any malware on your hacked website, and then keep a constant lookout connected to possible malware that might pop up later, continuing for one full year. This is important because it’s a sad fact that if your website has been successfully hacked but has been unsuccessfully cleaned up, hackers will normally keep trying to get back into your site.

I do switch off a lot of the settings of this plugin: it can drive you semi-mad with all the email warnings it sends you. I also use a different plugin for a lot of the firewall functionality.

iThemes Security (formerly Better WP Security)

iThemes Security is another really great security plugin. It comes with a free and paid version; however, I find I only need to use the free functionality if I’m combining iThemes with the Sucurri plugin.

Finishing Thoughts

I plan to do a detailed screen-share video with instructions on how I set up theses two powerful but slightly complicated WordPress plugins, and add the video to this article in the near future.

However, if you do hire somebody to do the four things I have outlined in this article, you will straight away make your website 100% harder to hack. It’s a bit like making your home more secure: you don’t want or need to make it like Fort Knox – that would be ridiculous. What you want it so make a lot harder for a burglar to break in, so he or she will go and find an easier target.

Full YouTube Video Transcript


Hi there, folks. It’s Jonathan Denwood here, one of the co-presenters on WP-Tonic. I’m doing a quick screen video here just to show you how I configure two really popular WordPress security plugins. I’m going to start off with Sucuri Security auditing malware scanner and security hardening. A little bit of a mouthful, but it’s a great plugin. The other I’m going to look at is iThemes Security, formerly Better WP security. Basically I utilized these two together and I find you get a very effective increase in security protection for your website. Basically I’ve installed both these plugins on a test site of mine. I want to point out that you should start off with a malware scan. I’ve done one. You click this and basically it takes a couple minutes. It does a full scan of all your files, your core WordPress files, and it will detect if there’s any malware that’s been installed.

It shows the files that might’ve been compromised and either you can get Sucuri to help you out or, if you’ve got backup you can change those files. That’s really handy actually. The next one, they do a firewall protection. It’s a bit like if you’ve ever had a firewall router but I’ve heard that there can be some problems utilizing this. I don’t recommend it, actually. You’ve got settings. If you’re managing a site for a client this is an important little tip. It will find the email address that’s registered in your main dashboard, but you don’t always want to utilize it, especially if you’re maintaining a site for a client because Sucuri can send a lot of email. I’m going to show you how to diminish that but it can send a lot of quite alarming emails and it could really freak out your client. Because basically as it’s set up in its normal settings it will literally send an email, is a whistle in a wind, virtually, whistle in a wind around your website and your client will get an email, there’s been hundreds of attempts to try and enter your website.

This will just absolutely freak them out. Basically you can put your address in here which I suggest you do. Alert settings. This is the thing that you really want to set up for yourself, or if you’re managing the site for a client. I switch all this off myself, apart from this one. This is the one that’s important. This is telling you that your site’s under brute force attack. I’ll go into what that means in a minute. Let’s save that. You really want to do this, even if you’re managing the site. Otherwise, you are going to get a ton of email from this plugin. This is the one that you’re really interested in. I’ll have a quick look at this. This tells you, like I say, I’ve got this site running on my local machine, using MAMP, but this gives some of your information. We’re going to go into hardening. It’s not the kind of hardening you’re thinking about folks. I know your minds.

Like I said previously, I don’t like activating this. I haven’t utilized it myself personally, but I have heard some bad things that have caused some problems. Protect your upload directory. I’m still working on this site but this is a good idea actually. I would press this and harden it. I’d like to make a point. You can harden a setting and if it’s causing you some headaches you can un-harden it by pressing the button again. I’ll show you this. You can revert. Don’t worry to try these settings out. This is one that I do harden. Restrict content, this option blocks direct PHP – I harden, when I’m ready with the site, the site is on the client’s life server, I harden this. Restricting root access, option blocks, I harden again. When it’s ready to go live and it’s on the client server I harden. It disguises what version of PHP you are using, basically your client’s not going to be interested in this.

The only people that are going to be interested are those type of people you’re going to try to keep out of the site. I keep that. Security key, you can do this, check wherever you ran, blah, blah. I don’t normally activate this. I do harden here because the only people that really want to read this file are the type of people that you don’t want in your site. Default admin account. There’s a bit of argument here. Some people say that as long as you’ve got a really strong password, but if it’s a production site – I’m using admin [as a user name] at the present moment, because I’ve got this on my local machine and I’ve got it on my test server but when I actually put it on the client’s server I do change the admin username to something different than “admin” and I’ll also strengthen the password. I do harden. Plugin and theme editor. I don’t normally bother with this because fundamentally, if they got this far and they’ve got into utilizing the editor in the system, I think you’re finished anyway.

I think they’re in. I do not activate this. This is basically the suffix of your tables in your database for WP. Some people suggest that you change this. It can cause you a lot of headaches and I think the headache to benefit ratio don’t justify it, but I leave that to your judgment. These are the settings that I set up in Sucuri. Like I say, I don’t utilize that, go into hardening, settings, like I say, is important. Can’t talk today, can I? That’s around putting your own email rather than this going to your client, because it will freak out your client. They will get onto that phone quicker than greased lightning. Been there, had that. These go into the other one if we can find it. This is our API key. I didn’t go into this. Basically it’ll send you a secure API key to this address by clicking here and it’s a place in Sucuri where you can put it. It’s just – please generate.

I haven’t done this because it’s on a local machine basically. We are now in iThemes Security. This is a really powerful plugin and it does overlap with Sucuri, but I switch off some settings here and I rely on Sucuri because I found Sucuri, in the areas where I set it out for, it manages things a little better in my opinion. The main thing what you’ve got to do where, straightaway is go into settings and we remove temporary white list, it’s a pressed button. When you activate this and it’s on your live server, go in here and for God’s sake, press this button. If you don’t do this, there’s a high chance you’re going to be locked out of your own site. That happened to me once and it’s quite embarrassing. It’s caused a lot of problems. You can also fix it in here. That up here was the temporary. It lasts for one day. Twenty-four hours. From the top you click, boom, but then you go down here and you add your computer IP address to this list.

It can cause a little bit of headaches. It’s not a problem. If your client is also looking in, it’s best to do video screen calls and show them what they’ve got to do. Otherwise, if they try and log in more than once and they don’t add themselves to the white list or press this button at the top and then add themselves, when they try and log in for the second time they won’t be able to log in to their own site, and again, they will get on that phone and they will not be happy bunnies. This is quite important. Global settings. Like I say, the notify email. You can put your own one in here. I really suggest you do this. This will be ticked. Un-tick. If you don’t un-tick it and save, this plugin is going to send you tons and tons of email. Good email. Your hosts lock out message, error. This message is … Basically this is the message where somebody’s attempting to log in and it’s saying they forgot their password.

After about five attempts or something you will lock them out and you’ll lock them out for a period of time which is set in this plugin. This is the message they see if they reach the attempt threshold and then they’re still attempting to log in and not leaving it for the period that you set. I keep it as error, because if they’re bad guys you don’t really want to tell them why they’re being locked out, that you’re utilizing this plugin. Use a lock out message, you have been locked out. I do have this one. You’ve been locked out. What? Community block out, enable blacklist repeat, this is a great thing. If your box is checked, the IP address of the offending computer will be added to the banned user blacklist after reaching the number of lockout list below. You can remove them from this list but if a brute force attempt is being aimed at your website, adding them to this list is that they don’t even get the attempts to try and get in, which I think is good.

Blacklist threshold, you can increase this, the number of days. Seven days is a little bit too far. I put it down to one day. Lockout periods. Here’s the whitelist. I do have this on, just, I like to know who’s been locked out, especially if it’s a membership site. Keep the database locked, fourteen days, the number days, yeah, I leave that to what it is. I do not like this. Basically what this means is if every site has some links, internal, external, that don’t work and people are taken to your 404 page. If you enable this they’re locked out basically, it’s treated as a brute force attempt. I don’t think that’s a good idea. This will be ticked as it comes out the box. You really want to un-tick that. I’m going for it. I do click this and I don’t enable bandwidth. This comes from hacker repair and they have a global list of bad guys, people that are involved in brute force attacks. By ticking this, this is one of the great things of the iThemes Security plugin.

They have grouped together all this data so everybody that’s using the iThemes Security plugin that clicks this tick box, they share data and it really does make it hard for the people that are involved in brute attacks. Do tick that. Yep. I leave this. I’m looking for something that I really don’t like to show you. You can hide the log in area. Most places it’s [the site address/wp-login.php] is the log in address. You can hide this or you can change it basically. You can also change it. This will hide it but you can also alter that. A lot of people like this because I think if you got a membership site and you’ve got somewhere on the front to log in I think this is a good idea. Sometimes they utilize Fiverr or Amazon Mechanical Turk. There’s actually real people trying to get into your site but a lot of the times it’s scripts.

Scripts don’t attempt to go through the front end of your website. They’re just an automatic script and by changing the log in page or the address it makes it a lot harder for them. I just thought I’d explain that. On my article which is on WP-Tonic, we go through why it’s a good idea to make your whole site SSL. I don’t plan, this is the one that I wanted to talk about, enable strong password enforcement. This comes ticked I think when it comes out, with its normal setting. I un-tick it. If you keep this ticked this will force people to – it’s a bit like these banking sites where they force you to have lower and higher [uppercase and lowercase letters], so many characters, blah, blah. It’s a real pain in the posterior and especially if you’ve got a membership site or some site where you want people to join. It could increase the bow-out rates and I really just don’t think the benefit you get from this with the pain it causes are in balance.

That’s my personal judgment call. I keep this un-ticked. Then you’ve got system tweaks. A lot of this stuff that’s what the Sucuri does. This is mind-blowing. I do tick this because I do tick that and that and that. The same thing, I don’t bother. If they’ve got that far it’s very similar to the previous plugin, you’ve had it anyway, but these, general meta tag, this stuff, nobody really wants to notice. The only people that want to notice are the type of people that you don’t want inside your website at all and this, I don’t bother with. I’m going to save this and that’s it. I could go a lot further but I just wanted to give you some quick tips about how I set up these two plugins and how I get them to work so they’re not conflicting with one another and I’ve played around with all these settings and this is the kind of setup that I normally do for myself and for a client.

I’ve found that it provides the maximum security with the least pain to you and your client. Hopefully this has been useful. Please go and have a look at the rest of the WP-Tonic website and if you like this screen training, screen cast, maybe you can give us a five-star rating in iTunes. That would be really helpful folks. Good WordPressing. This is Jonathan Denwood here wishing you a great WordPress week. Bye.

Sucuri Security & iThemes Security Configuring Tips was last modified: by