Tutorial – Secure your WordPress website properly with the free iThemes Security plugin

Tutorial – Secure your WordPress website properly with the free iThemes Security plugin
datum-geschreven 6 Jul 2023

You want to secure your WordPress website against hackers and malware, right? That can be done in many ways, but we assume you don’t want to incur any costs.

We will now show you step by step how to install the free version of iThemes Security and, more importantly:

how to optimize the settings of iThemes Security for WordPress

Let’s start with the installation. We assume that you haven’t activated any antivirus plugins on your website. If you have, it is recommended to remove the old one since having two security plugins can adversely affect the speed and functionality of your website.

Do you have WordFence? Cerber? Ninja Security? Well, then you’ll have to choose 😉
If it’s iThemes Security, then read on!


Before you get started, make a backup of your website.
You can use the free plugin UpdraftPlus to create a backup.

Installing iThemes Security

Go to your admin panel and navigate to “Plugins” -> “Add New”.
Type “ithemes” in the search field, and iThemes Security will appear.
Click on “Install Now”.
After that, click on “Activate”.

That wasn’t so difficult, was it?
But now the configuration begins.

Security Check

When you first install iThemes Security, you will see a screen with some default options.


You can click on the blue button to enable some default features. You will come across them later in this guide.

Many people think that everything is immediately set up correctly

But if you want to make the most out of your website security, there are several options that you can enable. In the next step, we will help you configure various important functions that are not yet enabled.

Configuring iThemes Security

Go to the “Security” -> “Settings” tab in your admin panel if you haven’t seen those options yet.

You will see several blocks there, with the light blue ones being active and the white/gray ones not yet.

blokken ithemes security

Note: we won’t enable all the features. For example, the “Away Mode” allows you to make your admin inaccessible during the night… a nice feature, but just don’t do it 😉

Let’s start configuring!

First, go to the block: Global Settings

Scroll down until you see the bold sentence “Days to retain the database of logs“.
Change it from 60 days to 25 days.
globale instellingen dagen

Why: within 60 days, sometimes so many notifications are generated that your database becomes too burdened. While your database might be

10 MB in size with only a few posts, the logs can quickly accumulate to 125+ MB of data. This is not good for the speed of your database and, consequently, your website.

Now you’re done with that, and you can move on to the next block: Notification Center

By default, it is checked to send notifications to all administrators. This is not ideal. We assume that you manage the website, and in that case, it’s even risky to send all notifications to every administrator. Uncheck “All administrators” and check your own name instead.

notificatie beheerder veranderen

It is recommended to uncheck the “Daily Security Update” and “Site Lockouts” options. We assume that you regularly monitor your website and/or check the logs. We will cover this in more detail later.

notificaties uitvinken

Why turn off notifications? Well, otherwise, you’ll receive an email every day for any activity on your website. For example, blocking attempted intrusions by bots. You may even receive multiple emails per day because bot intrusion attempts are quite common. While the security plugin blocks them, you don’t want to get nervous every time the plugin does its job.

Don’t forget to save the settings with the blue button at the bottom before moving to the next block.

404 Detection

Enable this feature. The 404 Detection keeps track of how many times a specific computer searches for non-existent pages. Bots, viruses, and malware generate a large number of requests in a short period as they search for vulnerabilities in plugins, themes, and your WordPress release.

If you have many files/images in your website that are not correctly linked, they can also generate 404 errors, potentially triggering false positives for legitimate visitors. Therefore, change the “Threshold” from 20 errors to 50 errors. This means someone would have to make a significant effort to trigger the 404 monitor.

drempelwaarde 404 monitoring

Ps: The registration of 404 errors is not only passive but also active. If too many 404 errors come from an IP address, it will be temporarily blocked. If that computer/person/bot continues to visit incorrect pages, it may eventually receive a longer or even permanent ban, which means they won’t be able to access your website or cause any trouble.

And that’s what you’re aiming for – you don’t want hackbots to abuse the server‘s capacity.

Database Backups

Decide whether you want to have a backup in your mailbox or set the “backup method” to store backups only locally. As mentioned before, iThemes Security is here to do its job but not to overwhelm you with email notifications and data.

backup methode

Storing backups locally means that the database backup will be saved on the server. Change the “number of backups to keep” to 3 to 10, for example.

Ps: Check the “Schedule database backups” option at the bottom to enable automatic backups.

WordPress Contants

This information is more relevant to experienced programmers, and they wouldn’t rely on the site diagnosis tool for this information 😉

However, if you really want to, you can check here whether the “debug mode” is on or off, if “debug logging” is enabled, and if the paths to wp-content and plugins are correct.

File System Permissions

Those terms… which translator came up with them.
Anyway, here you can see if the most important directories, such as the root directory, wp-content directory, plugins directory, and some others, are writable.

Conclusion and Closing

If you have used the site diagnosis tool of iThemes Security before, let us know in the comments and whether it was helpful.

Honestly, this information is mainly for advanced programmers, and they would look directly at the places where the settings are located instead of using this diagnostic tool.


The first thing a hacker does is gather technical information about a website. So, do you really want a code on your website that displays all the technical information? Not really!

De meeste artikelen worden geschreven door Mathieu Scholtes, de eigenaar van WPBeveiligen. Op de hoogte blijven van het laatste WordPress nieuws? WordPress tips? WordPress aanbiedingen?
Connect dan op Linked-in!

Heb je een vraag? Tip of gedachte? Deel die!

Breng me op de hoogte
0 Reacties
Inline Feedbacks
Bekijk alle reacties