iThemes Security (formerly known as Better WP Security) plugin allows you to secure your WordPress installation in more than 30 ways. Install the plugin for your blog and once the installation is successful, you will see following Secure your site now button at the top of your dashboard:



secure now

Click on the button and the immediate next page will ask you to complete following steps:

first steps

1. Backup your site’s database: It is highly recommended that you should take a full backup of your site’s database before you start using/configuring the plugin. Chances are very slim that something bad is going to happen with your site due to this security plugin, however if your site starts behaving strangely, then you can always deactivate/uninstall the plugin and restore your previous database using the backup file.

When you first click on Make a backup button, the plugin will compress your blog’s database and it will then send the compressed file to you via email. The email address to which the file is sent will be the administrator’s email that you are currently using with your site:

database backup

2. Allow file updates: In order to secure your installation the plugin needs to edit two important files in your account viz. wp-config.php and .htaccess from time to time. You are required to grant WRITE permission to the plugin, so that it can perform updates in these 2 files. Click on Allow File Updates button and it’s all done.

3. Secure your site: If you click on One Click Secure button then the plugin will start working for your site with optimal settings. The plugin will try its best not to conflict with any other existing plugin or theme in your installation.

4. Help us improve: The plugin collects anonymous data about your installation from time to time, so that its future version can be improved. If you’d like to turn on the data collection feature then click on YES, I’d like to help button.

There is no harm in turning this feature ON, as the plugin do not collect any of your personal information like your email address, username or password etc.

Once you have enabled your preferred options under Important First Steps, you will now land on the dashboard page of the plugin. The very first thing that the plugin will ask you to do is to temporarily white list your own IP address:

whitelist

This option prevents you from being accidentally locked out from your own installation for the next 24 hours. If the plugin detects that you are doing something strange with your website, while setting many security options of the plugin, then it may instantly lock out your IP address and you will face problems in accessing your own site.

Note: If your Internet Service Provider (ISP) allocates you a dynamic IP address which changes every time you reboot your MODEM/Router, then the plugin may inadvertently lock you out from accessing your own site!

Click on Temporarily Whitelist my IP button, and the plugin will show you a message that your IP address has been whitelisted for the next 24 hours:

whitelisted

Scroll down a little and you will be able to see a list of all those items in your installation that requires fixing. These items are categorized under High, medium and low priorities:

priorities

Among the listed things to fix, following are some of the very common security issues that the plugin may ask you to fix in your installation:

Note: You should give extra attention to the items listed under high and medium priorities.

  • Admin user has to be removed or renamed: admin or ADMIN is a very common username that exists in almost all WordPress installations. Many experts consider this a security issue, as a hacker can easily guess the password of this username by launching brute force or dictionary attack techniques. If there is a user in your installation whose username is admin, then you should either remove that username from your installation permanently or rename that user’s username to something else.
  • User’s nicknames are different from their display name: Suppose you have selected your username as apple and you have not entered your First Name and Last Name in your blog’s user profile, then WordPress will automatically set your nickname as apple too! Now if you are displaying your nickname as Author’s name under your blog posts, then a hacker can easily know your username and may start trying to determine the password of your account using password cracking techniques.
  • Whether your installation is telling every bot that you are using WordPress as your CMS: If you view the source code (CTRL + U) of any publicly accessible page of your website and there if you can see the name of your content management system as well as its version number in the header area (under <meta name=”generator” content=”WordPress 3.8.3″ />), then you are giving an open invitation to an attackers and bad bots to exploit your installation using the vulnerabilities present in the current version of the CMS.
  • Whether profile of users without any content are publicly available: Suppose you have recently created a new author account in your blog and that particular author never published any post on your site. These type of authors should not have a publicly visible profile, as otherwise it may become very easy for bad bots to determine their username.
  • Whether your installation is publishing Windows Live Writer tags in header: If you are not using Windows Live Writer or other blogging clients for posting content in your blog, then WLW (Windows Live Writer) tags should not appear in the header area of the source code of your web pages.
  • Whether your login page (/wp-login.php) is giving out unnecessary information upon failed login: Whenever a login attempt from a user fails, the CMS tells him the exact reason (like he has typed his username or password incorrectly) why his last login attempt failed? This type of information mustn’t be displayed when an attempt fails.
  • Schedule database backups: The database of your installation contains EVERYTHING that is present in your blog like your post/page content, comments, hyperlink, image URL, settings etc. If you don’t have a recent backup of your database and your existing database gets corrupt or deleted, then everything present in your blog will be lost too!
  • Whether 404 protection is turned on in your blog: If a user or a bot is generating too many 404 not found error pages in your blog in a very short period of time, then the plugin can block all such users from your installation. Generating too many 404 error pages in a relatively very short period of time indicates that a user or a bot is scanning for vulnerabilities in your installation. Keep in mind that you are required to enable Permalinks to use this feature of the plugin.
  • Whether a user with id 1 exists in your installation: If you type com/?author=1 in your web browser, then WordPress will redirect you to the author page of the user whose used id is set to 1 (user id=1). This user id generally belongs to the administrator of your installation and the author page may show you the username of the administrator.
  • Whether you are using away mode in WordPress: If your blog is maintained only by you or it is maintained by multiple authors, then still you or your authors won’t be updating your blog 24 hours a day. If you enable away mode of the plugin, then you can set a time period when your blog’s dashboard will be completely unavailable to all registered users.
  • Whether file change detection feature has been enabled for your installation: The plugin can compare all your existing files with the files of the last check. In this way you will be able to know which files have been changed since last time and if there is any type of malicious code present in them. This feature is discussed in details later in this post.
  • Whether important access URL of your installation are using the default addresses: The default login URL of your installation is /wp-login.php and the default address for your dashboard is /wp-admin/. Due to security reasons it is sometimes recommended to change these default addresses to something else, so that brute force and dictionary attacks can be prevented. This feature is discussed in detail later in this post.
  • Whether common but important system files are protected from direct access: Certain files in your installation like html, README.txt, wp-config.php etc. must not be writable or freely available for direct public access.
  • Whether your site is protected from suspicious looking information in the URL: If someone is trying to gain access to your site using suspicious query strings in the URL, then the plugin can instantly block such type of requests. Keep in mind that if you enable this feature then the functionality of certain themes and plugins may get affected.
  • Whether you are allowing users with no user agent information to post comments in your blog: Users with no user agent or associated browser information are generally spammers and their main task is to post spam comments in various weblogs. The plugin can block these type of bad users from your installation.
  • Whether XML-RPC is available for installation: XML-RPC is a technique using which you can post to your WordPress blog using many popular weblog clients like BlogDesk, BlogJet, MS Word 2007 etc. However an attacker can use this feature against you and it is recommended that you should disable this feature at the cost of losing functionalities of some plugins like Jet Pack etc.
  • Whether PHP execution is enabled for uploads folder in your installation: /wp-uploads/ folder is the default upload directory of your installation and if a user in your blog uploads a malicious PHP script in this folder and it gets executed then it may compromise your whole installation. The plugin can permanently disable PHP execution for this directory.

System Information

Under system information you will be able to see following information about yourself, your server and your installation:

Under User Information:

  • Public IP Address: This is the IP address of your computer/network that you are currently using to access your dashboard. If your ISP allocates you dynamic IP addresses every time you reboot your router, then the IP address present in this field will change the next time you login with a new IP address.
  • User Agent: Type of web browser that you are currently using to access your dashboard. For example, the user agent for Google Chrome browser is Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36.

Under File System Information:

  • Website’s root address: This will be the address of your website using which you and your visitors can access your blog. If you have installed WordPress in a subdirectory, say abc, then your website’s root address will become http://yourdomain.com/abc/ and if you have installed WordPress on a sub-domain, say xyz, then the root address will become http://xyz.yourdomain.com/.
  • Document root path: Address in your server where you can find all your website’s files. Example path: /home/<cPanel Username>/public_html/.
  • Weather hypertext access and wp-config.php file of your installation is writable: If these files are writable by everyone, then it’s a security threat.

Under Database Information:

  • Type of database you are currently using along with its version and client version.
  • Name of your Database host.
  • Database name and database user’s name.
  • Whether SQL mode is enabled or not.

Under Server Information:

  • Server/website IP address: This will be the IP addresses of your server on which your website is currently hosted. If in future you change your web hosting provider then the IP address present in this field will also change.
  • Server type: Apache, LiteSpeed etc.
  • Name of the OS of your server: Name of operating system that your hosting server is currently running. It can be Linux, Windows etc.
  • Browser compression supported: What type of HTTP compression techniques are supported by your server like gzip, deflate, sdch (Shared Dictionary Compression over HTTP) etc.

Under PHP Information:

  • PHP Version: Version of PHP that is currently installed on your server.
  • PHP Memory Usage: Amount of PHP memory that is currently consumed by various running PHP processes on your server.
  • PHP Memory Limit.
  • PHP Max Upload Size.
  • PHP Max Post Size.
  • PHP Safe Mode.
  • PHP Allow URL fopen.
  • PHP Allow URL Include.
  • PHP Display Errors.
  • PHP Display Startup Errors.
  • PHP Expose PHP.
  • PHP Register Globals.
  • PHP Max Script Execution Time.
  • PHP Magic Quotes GPC.
  • PHP open_basedir.
  • PHP XML Support.
  • PHP IPTC Support.
  • PHP Exif Support.
  • Disabled PHP Functions.

Under WordPress Configuration:

  • Multi-site: If you are using WordPress MU (http://mu.wordpress.org/), then you will see that it is enabled in this field. And if you are using a single installation of WordPress for your domain, then you will see a message which says multisite is not enabled.
  • WP Permalink structure: In order to make use of this plugin, it is necessary that you should select a proper Permalink structure for your blog. If you are using the default Permalink structure i.e. com/?p=123 with your installation, then some functions of this plugin won’t work at all.
  • Location of wp-config.php file: This field shows you the current path for wp-config.php file of your installation. If you are using cPanel as your hosting control panel and you have installed WordPress on your primary domain, then your wp-config.php file must be present in /home/<cPanel Username>/public_html/ wp-config.php and if you have installed WordPress on a subdomain or a subdirectory named ABC, then its location will be /home/<cPanel Username>/public_html/ABC/wp-config.php.

Under active lockouts:

You will be able to see a complete list of hosts, users and usernames which have been locked out from your installation for breaking security rules of the plugin or for engaging in malicious activities.

Under .htaccess Rewrite and wp-config.php rules

In case you have inserted some custom rules/code in your hypertext access or wp-config.php file, then they will be visible in this section.

Settings Tab

The settings tab of the plugin allows you to set/select how the plugin should work for and handle your installation.

Under global settings:

  • Write to files: Check the box in front of Allow iThemes Security to write to wp-config.php and .htaccess files, so that the plugin gains WRITE permission to modify these 2 files automatically. If you don’t want to enable this option, then you will have to manually insert code blocks in each of these 2 files, which is quite hard and confusing for most WordPress users.
  • Notification email: Enter the email address in which you want to receive security notifications about your installation from the plugin. You can also enter multiple email addresses in this field, one per line.
  • Backup delivery email: Enter the email address in which you want to receive your blog’s database backup file. Feel free to enter multiple email addresses in this field.
  • Host lockout message: Enter your custom message which you’d like to display in the web browser of a computer/host whenever it gets locked out from your installation. In this message you are free to use HTML code, page breaks, strong, h1, h2, h3, div etc.
  • User lockout message: Enter your custom message which you’d like to display in the web browser of a registered user of your site, whose account gets locked out from your site. In this message you are free to use HTML code, page breaks, strong, h1, h2, h3, div etc.
  • Blacklist threshold: If you enable Blacklist Repeat Offender, then enter the maximum value for total number of lockouts per IP before the host is permanently banned from your site.
  • Blacklist look-back period: Enter the total number of days after which the ban on a particular IP address is lifted automatically.
  • Lockout period: Enter the value of length of time in minutes after which a host or a user will be banned from your site for bad/invalid login attempts.
  • Lockout White list: Enter a list of IP addresses or IP range which you do not want the plugin to automatically lockout from your installation in any case. Although you can always place a ban on these IP addresses manually. Individual IP addresses must be in the format of IPv4 standard (192.168.1.1 or 192.168.1.1/8) and you are only allowed to use a wildcard or a net mask when you are specifying a range. Wild cards can only be used at the very end like 192.168.1.* and not in the middle like 192.168.*.8, when specifying a range.
  • Email lockout notification: Check the box in front of this option if you want to receive email notifications whenever an IP address or a user is locked out from your installation by the plugin.
  • Log type: The plugin can store logs about your database, files or both. Whenever something in your database or file system changes, the change will be registered in the events log maintained by the plugin.
  • Days to keep database logs: Specify the total number of days after which database logs are deleted from your server.
  • Path to log files: The default location of log file in your server is /home/<cPanel Username>/public_html/wp-content/uploads/ithemes-security/logs (assuming that you have installed the plugin for your primary domain name running WordPress).
  • Allow data tracking: The plugin can track and send anonymous usage data to its developer from time to time. This data don’t include any personal or sensitive information about your installation like your email address, username or password. There’s no harm in enabling this option.

Under 404 Detection:

If a user or a bot is generating too many non-existing pages (404 error pages) in your blog, then chances are very high that they are scanning for vulnerabilities in your installation. All such IP addresses/hosts are recorded in the Logs tab of the plugin for your future reference.

Under 404 detection you will be able to see following details as per the options selected under Global Settings:

404

  • Whether a permanent ban on suspicious IP addresses/host can be imposed by the plugin automatically.
  • Maximum number of lockouts before a permanent ban is placed on an IP address.
  • Duration of each lockout.
  • Lockout message whenever an IP address is banned from your site.
  • Lockout message which will be shown to a registered user of your blog whenever he gets locked out for too many invalid login attempts.
  • Whether your own IP address is whitelisted.

Keep in mind that this feature will only work if you have turned on proper permalinks structure for your blog. Check the box in front of 404 detection and you will be able to set/select following options for it:

  • Minutes to remember 404 error: Whatever value you enter in this field will become the total number of minutes up to which the plugin should remember the generated not found errors and should count them towards a lockout.
  • Error threshold: Maximum number of not found errors after which a lockout is automatically triggered by the plugin for a particular IP address.
  • 404 File/Folder White list: Certain files and directories of your installation like ico, robots.txt, /wp-content/cache etc. may generate a 404 error if they are not present in your installation and someone tries to access them. You should enter a full list of all such files and folders which you do not want the plugin to count towards a lockout. Keep in mind that the path of any file/folder in your installation should begin with a forward slash.
  • Ignored file types: Suppose you were hosting a PDF file or an image file in your installation and due to some reason you deleted the file. Now when some legitimate users tries to access this file, probably by means of a dead link, he may get locked out from your installation. In this section you should enter a full list of all those file types which will be recorded as 404 errors but will not result in lockouts.

Under Away Mode:

If your dashboard is available for access 24 hours a day and seven days a week, then you may want to enable away mode for your installation.

away

Check the box in front of Enable away mode and then select following things:

  • Select the type of restriction from the drop-down menu which you’d like to enable for everyone. The restriction can be either on a daily basis or one time only.
  • Select the time (in Hours, Minutes and AM/PM format) from the drop-down menu at which the away mode gets activated automatically and your dashboard becomes unavailable to everyone (including yourself too).
  • Select the time (in Hours, Minutes and AM/PM format) from the drop-down menu at which the away mode gets deactivated automatically and everyone will be able to access your dashboard once again.

Under Banned Users:

Mr. Jim Walker from HackRepair.com has built an excellent blacklist which can instantly ban bad hosts and user agents from your site. If you want to enable this blacklist, then check the box in front of Enable HackRepair.com’s blacklist feature and it’s all done.

ban

And if you’d like to ban certain IP addresses and hosts manually from your site, then check the box in front of Enable ban users and start entering following details:

  • Ban hosts: Enter a list of IP addresses or IP range which you want the plugin to instantly lockout from your installation. Individual IP addresses must be in the format of IPv4 standard (192.168.1.1 or 192.168.1.1/8) and you are only allowed to use a wildcard or a net mask when you are specifying a range. Wild cards can only be used at the very end of an IP address like 192.168.1.* and it cannot be used in the middle like 192.168.*.8.
  • Ban user agents: Enter a list of user agents each separated by a line which you want to ban from your site.

Under Brute Force Protection:

Check the box in front of Enable Brute Force protection and set/select following things:

brute

  • Maximum login attempts per host: Enter a value for maximum number of failed login attempts after which a lockout automatically triggers for a particular IP address.
  • Maximum login attempts per users: Enter a value for maximum number of failed login attempts by a registered user of your site. After the threshold has been reached the plugin will automatically lock out the registered user.
  • Minute to remember bad login: Enter a value of time in minutes up to which the plugin should remember bad login attempts from a particular IP address/range.
  • Automatically ban “admin” user: If a user with username admin or ADMIN don’t exist in your installation and if someone tries to login with this username, then the plugin will instantly lock out that particular IP.

Under Database backups:

If you have a full database backup of your entire site and something goes wrong then you can restore your site almost instantly using the backup file. Set/select following options to make use of database backup feature of the plugin:

  • Checking the box in front of Backup full database will allow the backup script to backup all tables in your database, which are not even part of your WordPress blog.
  • Backup method: Select from email only, save locally only and save locally and email. If you select email only than your backup file will be sent to you via email and if you select save locally only than it will be saved on your server in the folder you specify in the next option.
  • Backup location: Enter the location on your server in which you’d like to save the database backup file. The default location is: /home/<cPanel Username>/public_html/wp-content/uploads/ithemes-security/backups, assuming that you have installed the CMS in your primary domain name.
  • Backups to retain: Enter the total number of backup files which you want to store on your server. Try to enter a realistic value in this field as per the disk space allotted to you on your server.
  • Compress backup files: If you’d like to compress all your backup files whenever they’re sent to you via mail or when they are stored locally on your server, then check the box in front of zip database backup.
  • Scheduled database backups: Check the box in front of enable scheduled database backup and enter a value for total number of days between consecutive backups.

Under File Change Detection:

If a hacker gets into your site, then the very first thing he might do to compromise your installation is to insert malicious code in your CMS’s core files. File change detection feature of this plugin compares all your existing files to the last check. If you want to enable this feature, then check the box in front of Enable File Change Detection and set/select following things:

  • Split file checking into chunks: Check the box in front of this option and file checking will be split into seven chunks for plugins, themes, /wp-admin/, /wp-includes/, uploads, /wp-contents/and everything else. These checks are evenly divided over the course of many days. Keep in mind that after enabling this option you may get lots of notifications from the plugin. However these notifications can be considered extremely useful, as the plugin will check all your installation’s files with utmost precision.
  • Include/exclude files and folders: If you’d like to include/exclude certain files and folders from file change detection scan then select them accordingly.
  • Ignore file types: Enter a list of all those extensions which you want to ignore completely during the scan process. For example, you may want to exclude image file extensions like .JPEG, .PNG, .GIF etc. as comparing their previous version with the current one is of no use.
  • Email file change notifications: Whether you’d like to receive email notifications from the plugin whenever it detects a file whose code/contents has been changed since the last check.
  • Display file change admin warning: Checking the box in front of this option allows the plugin to display a file change detection notification in your WordPress dashboard too. It is recommended that you should enable this option.

Under Hide Login Area:

The default login page URL of every installation of WordPress is /wp-login.php, /login/, /admin/ and /dashboard/. These URL slugs are very well known to attackers and they may keep on hitting these to get into your installation. The hide login area feature of the plugin allows you to hide the backend of your installation by renaming /wp-login.php, /wp-admin/, /admin/, /login/ and /dashboard/. Check the box in front of Enable the hide backend feature and enter/select following details:

  • Login slug: Enter your preferred login slug in the field provided. Keep in mind that you should not enter login, admin, dashboard or wp-login.php as these are the default slugs used by WordPress. Also you should not use any type of special character in the slug except for alphanumeric characters, dash and an underscore.
  • Enable Theme compatibility: When you enable hide backend feature your theme may start behaving strangely, especially when you go to /wp-admin/ page of your installation. Enabling theme compatibility mode fixes this type of problem.

Under SSL:

Secure Socket Layers (SSL) is a technology which is used to send encrypted data packets between one’s computer and a web server. When you transmit sensitive data like your username, password etc. over a plain HTTP connection, a hacker may intercept these data packets during their transit!

If your server supports SSL certificate, then HTTPS will be enabled for your entire site as well as for your login pages.

  • Front end SSL mode: Select either per content or whole site from the drop-down menu in front of Front end SSL mode. If you select per content, then you can enable SSL for selected posts and pages of your blog, just by checking a small checkbox that will appear near the publish button in the post/page editor. And if you select whole site then SSL will be enforced on your entire site.
  • SSL for login: If you want your login page to be served over a secure SSL connection, then check the box in front of this option.
  • Force SSL for dashboard: If you want your site’s dashboard i.e. /wp-admin/ to be served over a secure SSL connection, then enable this option.

Note: If you have purchased a SSL certificate and want to use it with your blog, then following are the 2 available options for you:

  • SNI Technology: Server Name Induction (SNI) technology allows you to use multiple SSL certificates on a single shared IP address and port number. Because of SNI you are not required to buy a dedicated IP address for your account. You should contact your host and ask them whether their server supports SNI technology and whether they can install a SSL certificate for you. If their server supports SNI technology, then they may charge you an additional fee for certificate installation. Although keep in mind that SNI is not compatible with Windows XP, Internet Explorer 7, 8 and 9, Internet Explorer 6 and earlier, Safari web browser running on Windows XP, BlackBerry Browser, certain Windows mobile and browsers for Symbian S60 devices.
  • Buy a Dedicated IP Address: You are required to buy a dedicated IP for your account and then ask your host to install the certificate for you for an additional charge. If you own a VPS or Dedicated Server, then you can install the certificate yourself.

Under strong passwords:

Strong login passwords are very essential for your administrator account, account of your co-administrators, editors and authors. Check the box in front of Enable Strong Password Enforcement and then select the minimum role at which a user must choose a strong password. It is recommended to choose the minimum role as author.

Under system tweaks:

The options present under system tweaks prevents your blog from common types of attacks, but they can also restrict legitimate services and plugins to function properly. Try out following options one by one and if after enabling a particular option your site starts behaving strangely, then you may want to disable that particular option:

  • Protect system files: Enabling this option will prevent direct public access to html, README.txt, wp-config.php, install.php, /wp-includes/ and hypertext access files of your installation. Some of these files contains sensitive information or configuration instruction about your installation, therefore they mustn’t be available for public access.
  • Disable Directory Browsing: This option will prevent direct access to all those directories of your installation which contains no index.html file.
  • Filter Request Methods: If someone is hitting your website with trace, delete or track HTTP headers, then the plugin can automatically ignore all such incoming requests.
  • Suspicious Query Strings: If someone is trying to gain access to your site using suspicious query strings in the URL of your various posts, pages, plugins or themes, then the plugin can block such type of requests.
  • Non-English characters: If someone is using non-English characters in query strings, then the plugin can filter all such requests. Keep in mind that this option will only work if you have enabled the Filter Suspicious Query Strings
  • Log URL strings: Enabling this option will limit the total number of characters that can be used in a URL. Very Long URLs are generally used by attackers and their main aim is to inject information into your database.
  • File writing permissions: This option disables file writing permission for wp-config.php file as well as .htaccess file by setting their CHMOD to 0444 (read only). Keep in mind that if you enable this option then certain plugins in your installation may have problem working with your site. If you turn this option OFF, then the permission for both the files changes to 0664 (Only the user and the group can read and write to the file, but cannot execute it).
  • Disable PHP in Uploads: Enabling this option will disable PHP code execution in the /wp-content/uploads/ directory of your installation. If somehow someone uploads a malicious PHP file in this directory, then the plugin will prevent the execution of the code.

Under WordPress tweaks:

  • Remove WordPress generator meta tag: If you view the source code (CTRL + U) of any publicly accessible page of your website and there if you can see the name of your content management system as well as its version in the header area (under <meta name=”generator” content=”WordPress 3.8.3″ /> tag), then you are giving an open invitation to an attackers and bad bots to exploit your installation using the vulnerabilities present in the current version of the CMS.
  • Remove Windows live writer tags from header: This option will remove WLW tags from your site’s <head> section. If you are not using Windows live writer or any other blogging client for writing posts/pages in your blog then there is no need for these tags.
  • Edit URI Header: This will remove RSD (Really Simple Discovery) header from an installation. If you are not connecting your blog with some external service like Flickr using XML-RPC protocol, then it’s recommended to remove RSD header.
  • Reduce comment spam: Enabling this option will filter out all those comments which don’t have any user agent information attached to them.
  • Disable file editor: Enabling this option will disable the file editor within your dashboard and after this you won’t be able to make any changes to your site using the appearance or plugin editor. If you ever want to edit a file, then you are required to login to your cPanel account and edit the file using the file manager or upload the updated file using an FTP client.
  • XML-RPC: Select from OFF (XML-RPC protocol will be fully functional for your installation), only disable Trackbacks/Pingbacks and completely disable XML-RPC. Disabling Trackbacks/Pingbacks can be considered quite useful, as it can prevent denial of service attacks to your installation by means of trackback and pingback traffic flood.
  • Replace jQuery With a Safe Version: If you are using a custom theme with your installation, then this option can remove existing jQuery version from your installation and replace it with the version that comes default with WordPress. This field also show you the version number of jQuery that your theme is currently using.
  • Disable login error messages: If you check the box in front of this option, then it will disable error messages on failed login attempts.
  • Force a User to choose a unique nickname: As discussed earlier in this post, if you choose your login username as apple and don’t enter your First and last name, then WordPress will automatically make your nickname as apple Now if you are displaying your nickname under your blog posts, then an attacker might be able to guess your password very easily.
  • Disable Extra User Archives: If there’s an author in your blog who haven’t posted a single post in your site, then this option will disable his author page from your installation.

Advanced Tab

The advanced tab of the plugin allows you to alter certain core things of your installation. Keep in mind that before changing/setting anything on this page, it is highly recommended that you should create and download a full backup (database + whole cPanel account) of your entire site, as because once the changes has been made they can’t be reverted even if you remove the plugin from your installation.

Admin user: If there is a user in your installation whose username is admin or whose user ID is set to 1, then this tool allows you to change the username/ID of that particular user almost instantly.

All you need to do is to check the box in front of Enable Admin User Renaming and enter a new username with which you want to replace the current one:

admin

Also if there is a user whose user ID is set to 1, then check the box in front of Change User ID and click on Save Admin User button. Keep in mind that if you are logged in using admin username or using a username whose user ID is 1, then you will be logged out of your installation and you will have to login again (using your new username).

Change Content Directory: Whether you install WordPress manually or using an auto-installer like Quick Install, Fantastico, Softaculous etc., /wp-content/ remains the default directory of your installation, where the CMS stores all your article’s images, plugin and theme files and other uploaded documents (.pdf, .doc, .docx, .xls, .xlsx etc.). A hacker always keeps an eye on this folder and continues to scan it from time to time, so that he could find vulnerable files that you have uploaded in your account.

If you change the name of this directory to something else, then the hacker might not be able to monitor or scan this directory any longer. The Change Directory tool of the plugin allows you rename /wp-content/ directory permanently.

Very important note: Renaming your /wp-content/ folder will break your entire site as well as the functionality of any other installed plugin that is fully dependent on this folder. You should take a full backup of your entire account if you are going to run this tool. After renaming if you think that your site/some installed plugin is not working as expected, then you should restore your whole account using the backup file you created earlier. Also, try to run this tool on a fresh installation of WordPress or on an installation which contains very few posts/pages/content.

rename directory

If you are 100% sure that you want to use this tool to rename the /wp-content/ of your installation, then check the box in front of Enable change directory name >> enter the new directory name and click on Change Content Directory button.

Keep in mind that after the renaming process is complete, you will be logged out of your installation and are required to login once again.

Change database prefix: The default table prefix of WordPress database is wp_ and many security experts consider it as a security issue. If you want to rename your database’s table prefix to something more difficult to guess, then you can make use of this tool of the plugin.

Very Important note: Always generate a fresh database backup of your installation before running this tool.

prefix

All you need to do is to check the box in front of Change Table Prefix and click on Change Database Prefix button. The tool will generate a new prefix for you almost instantly.

Keep in mind that this tool may consume lots of resources on your server. If you see memory errors or any other type of error, then contact your host and show them the error. They may either raise your account’s memory limit or may simply tell you that you can’t run this tool on their server!

Backup Tab

The backup tab of the plugin allows you to create an on-demand backup of your whole database. The process will execute as per the settings you selected under Database Backups on the Settings tab of the plugin (discussed above):

create database backup

All you need to do is to click on Create Database Backup button and it’s all done.

Logs Tab

This page shows you all critical security entries that has been logged by the plugin. You can see many important details on this page like:

attack type

  • Type of Functions performed like Invalid login attempts, Host or User Lockout etc.
  • Priority level assigned for each function.
  • Date and time.
  • IP address.
  • Username
  • Type of attack like Brute Force etc.
  • Ban Expiration date and time if an IP addresses has been locked out from your installation.