In this tutorial, we walk through how to get started with iThemes Security Pro. We cover important first steps and how to navigate the iThemes Security dashboard.
Let’s take a look at how you can secure your site in 7 easy steps with the plugin’s onboarding process.
Step 1 – Pick a Security Site Template
The first step to secure your site is to pick a Security Site Template
An eCommerce site requires a different level of security than your average blog. That is why we created security site templates to auto-configure the best security settings for your website. You can choose from six different site templates.
- Ecommerce – A website to sell products or services.
- Network – A website to connect people and communities.
- Non-Profit – A website to promote your cause or collect donations.
- Blog – A website to share your thoughts or to start a conversation.
- Portfolio – A website to showcase your craft.
- Brochure – A simple website to promote your business.
Site Type Plugin Detection
If iThemes Security Pro detects that you have a plugin installed that matches a site type, it will recommend the correct template for your site.
Ecommerce Site Template Plugin Detection List
- Restrict Content
- Restrict Content Pro
- Easy Digital Downloads
- Paid Membership Pro
- Ultimate Member
Non-Profit Site Template Plugin Detection List
- Give WP
- PayPal Donations
Non-Profit Site Template Plugin Detection List
Step 2 – Identify Important Users
Before we go any further, let’s take a moment to talk about User Groups. To make it easier to manage the user security on your site, iThemes Security Pro sorts all of your users into different groups. Sorting users into different security groups allows you to manage the security settings that affect user experience.
In step 2, you will be asked any to identify any clients, the users that will manage iThemes Security Pro, and the user roles of your customers.
Just like site types, different types of users require different levels of security. After the key stakeholders of your site are identified, iThemes Security Pro will sort them into security groups. After the groups are sorted, you will be asked a series of questions to ensure the right amount of security is applied to each group.
Configuring Security For a Client
You will be asked if you are configuring iThemes Security Pro for a client on the second onboarding screen.
The onboarding process is designed to make things easier when configuring iThemes Security Pro on a client’s site. After selecting Client in step two, you will be asked to identify the WordPress users that your clients use.
Should your clients be able to view and make changes to the iThemes Security Pro settings?
After selecting your clients, iThemes Security Pro will create a Client security group. Then you will need to decide whether or not your clients should have access to the iThemes Security Pro settings.
Toggle the Yes, allow managing of iThemes Security Pro option to grant your clients access to the iThemes Security Pro settings.
There are times that your clients made need or demand to have Administrator access on a site that you manage for them. By default, all Administrator users have access to the iThemes Security Pro settings. However, restricting your client’s access to the security settings may be in everyone’s best interest.
We have heard stories of clients changing security settings without knowing what they are actually changing. Or, a simple lockout notification–a sign that security is working–caused unnecessary concern because the client thought it meant they had been hack.
Limiting access to the security settings can save both you and your clients a lot of headaches.
Configuring Security For Customers
During onboarding, you will be asked to select the WordPress user roles assigned to your customers. Depending on the complexity of your site, you may have multiple user roles for your different types of customers.
iThemes Security Pro will create a Customer security group that will include all of your customers. You probably don’t want to apply the same level of security to your site Administrators and Customers. Having a Customer security group allows you to only enable the settings that make sense for this type of user.
After selecting your customers, you will be asked a couple of questions about what security features you want to enable for this group.
Question 1: Do you want to secure your customer accounts with two-factor authentication?
Toggle the Yes, require Two-Factor for these users option to force your customers to use two-factor authentication when logging in.
Question 2: Do you want to secure your customer accounts with a password policy?
Toggle the Yes, enforce a password policy for these users will require your customers to use a strong password that hasn’t appeared in a database dump monitored by have i been pwned.
It is completely understandable and encouraged to make creating or logging into a customer account as easy as possible. However, your customer may not know that the password they are using has been found in a data dump. You would be doing your customer a great service by alerting them that the password they are using has been compromised. If they are using that password everywhere, you could save them from some major headaches down the road.
Selecting Who Will Mange iThemes Security Pro
Identify the people responsible for managing iThemes Security Pro will allow you to manage who should access the security settings.
Step 3 – Enable Important Security Features
In the onboarding flow, we highlight the most important security features you should enable. Let’s take a look at the recommended settings.
Login Security Settings
- Two-Factor – Increase the security of your WordPress login page by requiring an extra form of identification to login.
- Passwordless Login – Allow users to login without entering a password.
- Trusted Devices – Remove privileges when someone logs in from an unidentified device.
- Local Brute Force – Automatically lockout out users after repeated failed login attempts.
- Network Brute Force – Join a network of sites that report and protect against bad actors.
- Magic Links – Allow real users to request a magic link to bypass a lockout.
- reCAPTCHA – Identify and block bad bots.
Step 4 – Set Up User Groups
You have two options when setting up User Groups, Default (the easy way) and Custom (the hard way).
Default User Groups (Recommended)
Default User Groups are the simplest way to get started using iThemes Security Pro. iThemes Security Pro will create the user groups for you and enabled security settings for each group based on the Site Template you chose and the answers you gave during onboarding.
We can see that our Clients, Security Managers, and Customer security groups were created.
If we select the Customer User Group, we will find that based on the answers we gave that Strong Passwords and Refused Compromised Passwords are enabled but not Require Two-Factor.
If we click the Edit Group tab, we can see that all of the user roles we identified as our customers belong to the group.
Custom User Groups
Custom user groups give you more control over how groups are created and what security settings are applied to each group. However, you are required to build your user groups from scratch.
Step 5 – Configure Security Settings
Most iThemes Security Pro settings only need to be enabled to start protecting your site. But, some settings require a little extra configuration to start blocking bad guys.
Based on the Security Features you’ve enabled while settings up iThemes Security Pro, we will show you the most important settings for you to configure.
Authorized Host List
Add your IP to the Authorized Host List to prevent yourself from getting locked out or banned.
Network Brute Force Protection
Enter your email address to receive your Network Brute Force Protection license.
Generate new or enter your existing Google reCAPTCHA keys to start blocking bad bots.
Step 6 – Set Default Email Recipients
By default, all site Administrators receive email notifications generated by iThemes Security Pro. However, let’s make our user the default recipient to ensure our clients don’t receive any unwanted notifications.
Step 7 – Secure Your Site
The only thing left to do is to click the Secure Site button to apply everything we have done.
Bonus Step – Pat Yourself on the Back
Finally, pat yourself on the back for making your site more secure than ever!