Here are the master ban settings. This is the criteria the features use to determine when to permanently ban IPs. The banned IPs are written to the .htaccess file.
Whitelist your IP here to avoid it from being locked out.
Choose whether to store your Security logs in the database or in a file stored on your server.
Choose how long to keep the logs to help conserve resources
If you’re using the InfiniteWP service, you’ll want to enable compatibility for it.
If you know you’re not using a proxy service like Varnish or Cloudflare you can enable Override Proxy Service to better identify IPs.
Hack Repair Default Blacklist enables a blacklist with several known bad actors and bots you may not need. However, some sites that make use of third-party applications need some of these. Check the full functionality of your site after enabling it.
The list of IPs and IP ranges to be banned from your site. You can use IPv4 or IPv6 formats.
You can ban specific user agents.
Local Brute Force Protection
The IPs will be written to the .htaccess and permanently banned.
You can choose to automatically lock out a user trying to log in with the username “admin.” If you don’t have a user on your site with this username, you should enable this feature.
Manually create a backup and set a schedule.
Choose the backup method and how many backups to retain.
If you have tables you don’t need to be backed up like logs or temp tables, you can exclude them to save resources.
If you choose to enable scheduled backups, you can set how often it will run.
File Change Detection
Depending on what’s happening with your site, this can be the most resource-intense feature in the plugin.
You can choose to include or exclude files and directories scanned. I typically suggest excluding files with known processes to help quiet the white noise. An example of this would be caching files, backup directories and the .htaccess file. Of course, this is personal preference.
Choose how to be notified of file changes.
Compare Online Files will scan your iThemes and WordPress Core files and let you know if any change is malicious.
File Permissions gives you a quick overview of your directory and file permissions and gives suggested values. Different environments use different permissions and that’s fine.
Make sure your directories aren’t 777 and your files aren’t 666.
Network Brute Force Protection
When you enable this, you’re able to “crowd share” our iThemes blacklist. If any IP has been banned on any other site in our network, it will be banned from your site as well.
The SSL module allows you to force SSL on the whole site, per page or in the dashboard if your site supports SSL. Note that sites with SSL don’t necessarily need this, only ones that aren’t forcing redirects to https.
System Files – Protects sensitive files from being viewed by the public.
Directory Browsing – Prevents users from seeing the directory list of the site when an index.php file isn’t present.
Disable PHP in Uploads – This does not affect functionality. It prevents outside sources from executing potentially malicious scripts.
Disable PHP in Plugins – This does not affect functionality. It prevents outside sources from executing potentially malicious scripts.
Disable PHP in Themes – This does not affect functionality. It prevents outside sources from executing potentially malicious scripts.
File Editor – Enabling this disables the File Editor limiting editing the theme and plugins to only those who have direct access to the server.
XML-RPC – This file can allow access to your site. If nothing on your site uses it, disable it. If you use Jetpack or the WordPress Mobile app, set it to Disable Pingbacks.
Multiple Authentication Attempts per XML-RPC Request – The XML-RPC file can allow a brute force attack to make hundreds of attempts per request. This should be disabled.
REST API – By default, the REST API can provide public access to posts, users and media. It should be restricted to only those logged in users that have access to this information.
Force Unique Nickname – This helps combat user enumeration by forcing new users and users that update their profile to use a nickname to prevent harvesting of their usernames.
Disable Extra User Archives - This makes it harder for bots to determine usernames by disabling post archives for users that don't post to your site.
Login with Email Address or Username – Choose if users are able to login with their username, email or both.
Hide Backend – The Hide Backend feature allows you to change your login slug. Changing your WordPress admin URL adds a good extra layer of security, but it should not take place of Two-Factor and Strong Passwords. This feature is on the Advanced settings page due to its possibility of conflicting with other plugins and themes.
Some installations of WordPress come with a standard username admin, with a database user ID of 1. This feature allows you to change both.
If your site doesn’t have a username admin, the option to change it will not be present.
You should make a backup before using this feature. If something goes wrong during the update this is the easiest way to recover.
Change Database Table Prefix
By default, all WordPress sites have the prefix wp_. This feature further obscures your site by changing it to something random.
You should make a backup before using this feature. If something goes wrong during the update, this is the easiest way to recover.
Server Config and wp-config.php Rules
You may have chosen to not allow iThemes Security to write to these files, or it’s not able to for some reason. You can find them here to manually add them. If needed, you can see how to edit the wp-config.php file in this article.
Enable Magic Links to receive an email when an alternate link to use when your username has been locked out due to a brute force attack.
Site Scan Scheduling
The scanner will do a quick scan of your site.
Enabling scheduling will set the scanner to scan your full site daily. You can configure a notification email when issues are found or check the logs.
You can grant temporary Administrator privileges to any user and set it to expire in how many ever days you’d like.
Strong Passwords – Enforce users to use strong passwords by user role.
Password Expiration – It’s a best practice to routinely update your WordPress password. With Password Expiration, you can force users by roles to update their password in X amount of days.
Minimum Role - For more information on WordPress roles and capabilities please see http://codex.wordpress.org/Roles_and_Capabilities.
Refuse Compromised Passwords – Force users to use passwords which do not appear in any password breaches tracked by Have I Been Pwned.
With reCAPTCHA, you can add an extra layer of defense to your login page, registration and comments. You can choose between V2 or V3, which is the one most of us are familiar with, or the new Invisible reCAPTCHA that doesn’t even require a user to check a box.
You can configure how many failed attempts will result in a lockout.
Settings Import and Export
You may have many sites that you’d like to share your settings with or possibly just have a backup of them. This feature makes it really easy. Check out our Import/Export documentation to learn more.
This is one of the best, most secure features in the plugin. If an attacker somehow obtains your WordPress credentials they’ll also need your device, access to your email or your backup codes.
Force users to use Two-Factor based on their roles or abilities. This can be applied to both the front end or back end of the site.
If you have users that don’t use Two-Factor or a site with outdated software, you can force them to use it as well.
This is useful for tracking user actions on the site such as logins and modifying content.
Keeping everything on your sites up to date is paramount. Software always has the chance to have a vulnerability and, if you don’t stay up to date, it can be exploited once it’s discovered. These features will allow you to automatically update WordPress Core, plugins and themes, and adds an extra layer of security when the site is running outdated software.
Auto Update WordPress Core, Plugins and Themes – Configure automatic updates for all software on the site.
Strengthen Site When Running Outdated Software – Enables extra security when available software updates haven’t been updated for at least a month.
Scan For Old WordPress Sites – Set a scan to run a daily scan on your hosting account for old WordPress installations that could be compromised.
iThemes Security Logs
The iThemes Security Logs gives you an overview of all logged actions on the site. The All Logged Data section gives you an overview of all actions.
From the drop-down, you can select Brute Force, File Change, login-interstitial, Malware Scan, Notification Center, Two-Factor, User Logging, Version Management for more detailed Logs of the actions.
Some have a details link that will show more specific information about the action.