iThemes Security Trusted Devices

Notice for Unrecognized Devices

After enabling the Trusted Devices setting, users will receive a notification in the WordPress admin bar about pending unrecognized devices.

Trusted Devices

Optional Email Notification

In addition to the WordPress admin login notice, an Unrecognized Login Notification email (optional, but recommended) can also alert you whenever an unrecognized device has been used to log in.

The Unrecognized Login Notification email is customizable from iThemes Security’s Notification Center. From the Notification Center settings, you can use the default text or add your own. This email notification supports basic HTML and email tags.

Restrict Capabilities on Unrecognized Sessions

When a user is logged in on an unrecognized device, you can restrict their administrator-level capabilities to prevent them from editing their login details.

Note: Enabling “Restrict Capabilities” requires the “Unrecognized Login” email notification to be enabled from the Notification Center within the iThemes Security plugin.

Session Hijacking Protection

Session hijacking, sometimes called Cookie hijacking, is a strategy used by hackers to take control of your account while you are using it, effectively becoming the owner.

By enabling iThemes Security’s Session Hijacking Protection in the Trusted Devices setting, you can prevent session hijacking by checking that a user’s device does not change during a session. More information can be found about iThemes new Trusted Devices and Session Hijacking can be found here

If a user’s device changes during a session, iThemes Security will automatically log the user out to prevent any unauthorized activity on the user’s account, such as changing the user’s email address or uploading malicious plugins. You can find more information about Session Hijacking here

Geolocation Accuracy & Static Image Maps

iThemes Security uses geolocation to improve the accuracy of Trusted Device identification. You can use either the free MaxMind database that allows for Geolocation lookups without connecting to an external API or, for the highest degree of accuracy, you can sign up for a MaxMind GeoIP2 Precision: City account. Most users should find the lowest credit amount sufficient.

geolocation map

iThemes Security also utilizes static image maps to display the approximate location of an unrecognized login. We recommend using either the Mapbox or MapQuest APIs. The free plan for both services should be sufficient for most users.

WordPress User Profile with Trusted Devices Info

Once Trusted Devices are enabled within iThemes Security, site admins can manage devices from the WordPress User Profile page. From this screen, site admins can approve or deny devices from the Trusted Devices list.

WordPress user trusted devices

Note: Users can approve or deny devices through the WordPress admin bar notice or via their email notifications. The devices list on the Profile page is intended as a support tool for site administrators if a user locks themselves out accidentally. Auto Approval occurs when a new device is similar enough to an existing trusted device that Security Pro approves it automatically. 

Integration with Two-Factor Authentication

Trusted Devices powers iThemes Security’s “Remember Me” setting in Two-Factor Authentication. If the device doesn’t look the same, users are forced to re-enter their Two-Factor code instead of bypassing it.


Note: While remembering devices is convenient, it is more secure to require users to generate a new Two-Factor token each time they log in. 
Powered by Zendesk