Feature Spotlights
There can be a lot of features to go through in iThemes Security Pro so we have created some 'Feature Spotlight' articles to give you a more in-depth look at some of the features iThemes Security Pro has to offer in the effort to keep your site secure and running smoothly! Each link below will take you to the Feature Spotlight article and will provide an insight into what each feature is, does, and the benefits of having them applied to your site!
You shouldn’t need to be a cyber-security expert to keep your site safe from attack. And with the new iThemes Security Onboarding, you don’t have to be an expert. Anyone can secure their WordPress website in a matter of minutes, all without needing a degree in computer science.
Some features and settings are recommended for every site to run. This tool will ensure that your site is using these recommendations. The features enabled with the Security Check are: Banned Users, Database Backups, Local Brute Force Protection, File Change Detection, Magic Links, Site Scan Scheduling, Network Brute Force Protection, Passwordless Login, Strong Passwords, Two-Factor Authentication, User Logging, WordPress Tweaks
Users Groups module in iThemes Security Pro allows you to quickly see which settings that can affect the user experience are enabled and make modifications to them from a single location. In the User Groups settings, you will see all your user groups and all of the security settings that are enabled for each group, and quickly toggle the settings on and off. User Group gives you the confidence you are applying the right level of security to the right users.
The Away Mode setting will allow you to disable access to the WordPress Dashboard for the specified period. In addition to limiting exposure to attackers, this could also be useful to disable site access based on a schedule for classroom or other reasons.
File Change detection will tell you what files have changed in your WordPress installation alerting you to changes not made by yourself. Unlike other solutions, this plugin will look only at your installation and compare files to the last check instead of comparing them with a remote installation thereby taking into account whether or not you modify the files yourself.
Local Brute Force Protection & Banned Users
If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attack, known as a brute force attack, is something that WordPress is acutely susceptible to as, by default, the system doesn't care how many attempts a user makes to login. It will always let you try again. Enabling login limits will ban the host user from attempting to login again after the specified bad login threshold has been reached.
Manage and configure Password Requirements for users. We know how hard it can be to get people to follow security best practices. A strong password is an essential part of your WordPress login security. Let’s talk about some of the common password pitfalls that can put your website at risk.
These settings are listed as advanced because they block common forms of attacks but they can also block legitimate plugins and themes that rely on the same techniques. When activating the settings below, we recommend enabling them one by one to test that everything on your site is still working as expected.
As a reminder, some of these settings might conflict with other plugins or themes, so test your site after enabling each setting.
Magic Links & Passwordless Login
Bypass lockouts using a Magic Link. Enable logging in without a password.
Enabling this feature will allow administrators to temporarily grant extra access to a user of the site for a specified period of time. For example, a contractor can be granted developer access to the site for 24 hours after which his or her status would be automatically revoked.
Protect your site from bots by verifying that the person submitting comments or logging in is indeed human.
See a real-time overview of the security activity on your website with this dynamic dashboard. The iThemes Security Dashboard is a dynamic dashboard with all your WordPress website’s security activity stats in one place. The iThemes Security Dashboard brings your security logs to life by pulling together related entries and displaying them in a way that is relevant to you.
Two-Factor Authentication greatly increases the security of your WordPress user account by requiring additional information beyond your username and password in order to log in.
Log user actions such as login, saving content and others.
Protect your site when outdated software is not updated quickly enough. Keeping software updated is an essential part of any security strategy. Updates aren’t just for bug fixes and new features. Updates can also include critical security patches. Without that patch, you are leaving your phone, computer, server, router, or website vulnerable to attack.
Trusted Devices identifies the devices users use to log in and can apply additional restrictions to unknown devices. By default, users will receive a notification in the admin bar about pending unrecognized devices, but we strongly recommend also enabling the "Unrecognized Login Notification" email in the Notification Center. Trusted Devices also powers the "Remember Device" setting in Two-Factor Authentication.
The iThemes Security Pro Grade Report feature helps you quickly find and resolve security weaknesses on your website by showing you a “grade” based on a number of factors that impact the security of your site.
This site scan is powered by iThemes. We use several data points to check for known malware, blocklist status, website errors and out-of-date software. These data points are not 100% accurate, but we try our best to provide thorough results.
Results of previous scans can be found on the logs page.
The WordPress Security Logs are a great way to keep track of security events on your website. Logging is an essential part of your WordPress security strategy. Insufficient logging and monitoring can lead to a delay in the detection of a security breach. Most breach studies show that the time to detect a breach is over 200 days! That amount of time allows an attacker to breach other systems, modify, steal, or destroy more data. It is for those reasons that Insufficient Logging landed on the OWASP top 10 of web application security risks.