iThemes Security Check

The first time you visit the iThemes Security dashboard you'll be welcomed by a popup window titled Security Check. 

The Security Check module should automatically display as soon as you update to the latest version of iThemes Security and visit the Security > Settings page. Simply click the “Secure Site” button to complete the security check.


Security Check will then give you a status of all the settings/features enabled by the plugin.


After you’ve used Security Check, you can review the settings again from the Security > Security Check page or from the iThemes Security Settings dashboard.



Features/Settings Enabled by Security Check

With just one click of the “Secure Site” button, iThemes Security will enable and configure all the recommended security features and settings within the plugin. This table lists out the feature/setting and the benefits activated by the Security Check.



Banned Users Blocks specific IP addresses and user agents from accessing your site
Database Backups Creates database backups manually or on a schedule
Local Brute Force Protection Protects your site against attackers that try to randomly guess login details to your site
Malware Scan Scheduling (Pro) Protects your site with automated malware scans. When this feature is enabled, your site will be automatically scanned each day
Network Brute Force Protection Protects your site against known attackers before they reach your site
Strong Passwords (Pro) Helps enforce that powerful (admin) accounts choose strong passwords for their logins
Two-Factor Authentication (Pro) Greatly increases the security of your WordPress user account by requiring additional information beyond your username and password in order to log in to the site
User Logging (Pro) Logs user actions such as login, editing or saving content and other actions into a viewable list
WordPress Tweaks This feature has a variety of settings that change the behavior of WordPress


By using the “Secure Site” button, the following settings actions will be taken (if they were not previously set):

  • Enable the Enable Ban Lists setting in Banned Users. This ensures that IPs being blocked by other features are not ignored due to the setting being disabled.
  • Enable the Email Notifications setting in Malware Scan Scheduling to ensure that site admins are notified of potential malware issues.
  • Enable the Time-Based One-Time Password (TOTP) provider for Two-Factor Authentication.  When a user sets up their account to use TOTP authentication, they greatly increase the security of their account and make it near impossible for attackers to break into their account.
  • Enable the Email provider for Two-Factor Authentication. The email authentication option is a great alternative for users that cannot use Time-Based One-Time Password (TOTP) authentication.
  • Enable the Backup Verification Codes provider for Two-Factor Authentication. It is recommended that every user creates a set of backup verification codes to use in case they lose access to their Time-Based One-Time Password (TOTP) device or their email account.
  • Disable the File Editor in WordPress Tweaks as the file editor can be used by attackers to quickly add backdoors or malware injection to existing files.
  • Change the Multiple Authentication Attempts per XML-RPC Request setting in WordPress Tweaks to “Block”. This prevents attackers from using XML-RPC requests to efficiently brute force user login credentials.
  • Enable the Write to Files setting in Global Settings. Since many features of iThemes Security require writing to wp-config.php and server config files, having this setting disabled prevents a large number of features from working properly.
  • If needed, you can see how to edit the wp-config.php file in this article. 

Have more questions? Submit a request
Powered by Zendesk