The iThemes Security Pro plugin has over 50 different ways for you to secure and protect your WordPress website. You can enable most of the security methods in iThemes Security Pro with just a click of a button. However, if you can spare a few minutes to dive into the settings, you can add several layers of protection to your WordPress website.
In this post, we are going to give you 5 advanced tips and tricks for iThemes Security Pro to take the security of your website to the next level.
Tip #1 – Protect your WP Dashboard with Trusted Devices
The iThemes Security Pro Trusted Devices feature limits access to the WordPress dashboard to a list of approved devices.
Once you let iThemes Security Pro know which devices are yours, Trusted Devices can protect your site in 2 different ways:
1. Restrict the Capabilities of Unrecognized Devices – When someone logs in using an unrecognized device, you can restrict their administrator-level capabilities and prevent them from editing their login details. iThemes Security Pro will then send an email to the address set in their WordPress user profile.
The unrecognized login email will have the option to either confirm or block the device. If the Confirm Device button is clicked, the user will have their admin capabilities restored. If the This Was Not Me button is clicked, iThemes Security Pro will log out the illegitimate user, and the device the denied device list in the WordPress profile.
2. Session Hijacking Protection – Session hijacking is an attack where a user session is taken over by an attacker. For example, WordPress generates a session cookie every time you log into your website. And let’s say you have a browser extension with a vulnerability that allows hackers to hijack your browser cookie. After hijacking your session, the hacker will be able to start making malicious changes to your website.
If a user’s device changes during a session, iThemes Security will automatically log the user out to prevent any unauthorized activity on the user’s account, such as changing the user’s email address or uploading malicious plugins.
Tip #2 – Use Google reCAPTCHA v3 to Block Bad Bots
The Google reCAPTCHA feature in iThemes Security Pro protects your site from bad bots. These bots are trying to break into your website using compromised passwords, posting spam, or even scraping your content. reCAPTCHA uses advanced risk analysis techniques to tell humans and bots apart.
What’s great about reCAPTCHA version 3 is that it helps you detect abusive bot traffic on your website without any user interaction. Instead of showing a CAPTCHA challenge, reCAPTCHA v3 monitors the different requests made and returns a score. The score ranges from 0.01 to 1. The higher the score returned by reCAPTCHA, the more confident it is that a human made the request. The lower this score returned by reCAPTCHA, the more confident it is that a bot made the request.
iThemes Security Pro allows you to set a block threshold using the reCAPTCHA score. Google recommends using 0.05 as your default. Keep in mind that you could inadvertently lock out legitimate users if you set the threshold too high.
Let’s say you set the block threshold to 1, which means you want Google to block anything they aren’t 100% sure is human. Now one of your customers sends a login request to your website. And, this customer uses a password manager to autofill their passwords and reCAPTCHA gives their login request a score of 0.7.
So even though your customer didn’t use their keyboard to type in their credentials, Google is pretty sure your customer is human. But, your customer will still get locked out because you set a threshold of 1.
You can enable reCAPTCHA on your WordPress user registration, reset password, login, and comments. iThemes Security Pro allows you to run the Google reCAPTCHA script on all pages to increase the accuracy of its bot vs. human score.
Tip #3 – Use Privilege Escalation to Create a Universal Support User
The most underutilized feature in iThemes Security Pro is Privilege Escalation. The feature allows you to temporarily escalate the privileges of a user.
Anytime you create a new user, especially an Admin user, you are adding another entry point that a hacker could exploit. But, there are times you may need some outside help for your website, like when you are seeking support.
You can create a new user and name it Support and give it the Subscriber user role. The next time you need to provide temporary access to your website, navigate to your Support user’s Profile page.
Update the email address to allow the outside support person to request a new password. Then scroll down until you see the Temporary Privilege Escalation settings. Click the Set Temporary Role toggle, and select Admin. The user will now have Admin access for the next 24 hours.
If they don’t need the full 24 hours, you can revoke the privilege escalation from the user profile page.
Tip #4 – Make Security Easy for your Users
By definition, every security measure is designed to decrease the convenience of whatever is receiving the added security. So I want to share three features in iThemes Security Pro that can make security easy for everyone on your website.
1. Two-Factor Onboarding
Two-factor authentication is a process of verifying a person’s identity by requiring two separate methods of verification. Google shared on its blog that using two-factor authentication can stop 100% of automated bot attacks.
Two-factor onboarding is a user-friendly way for people to set up two-factor on their accounts. Every user that has two-factor authentication enabled will be guided through the onboarding flow the next time they log in.
After entering your credentials, you will be presented with the onboarding welcome text. Keep in mind that you can customize this in your two-factor settings.
Throughout the flow, you will have the option to enable and configure the methods of two-factor that you want to use.
By the end of the flow, you and your user’s accounts will have a strong layer of security that two-factor authentication provides.
2. Magic Links
A bot may scape your author’s page to gather usernames to use in a brute force attack on your website. It sucks getting locked out because some bot is trying to hack their way into your website using your username.
When your username is locked out, you can request an email with a unique login link. Using the emailed link will bypass the username lockout for you, while brute force attackers are still locked out.
Simply click the “Send authorized login link” link to receive your Magic Links email.
Once you receive the email, use the link, enter your credentials and you will be back in your site!
3. Passwordless Logins
Whether we in the security community want to admit it or not, using a password manager and two-factor authentication can be a pain and time consuming, especially as we move more and more of our lives online.
So we wanted to create a way for people to get all of the security that a strong and unique password provides without sacrificing the usability.
What are Passwordless Logins?
Passwordless login is a new way to verify a user’s identity without actually requiring a password to login. We evolved Magic Links into a new login method that allows you to require users to use strong passwords and two-factor authentication without ever entering a password or an extra authentication code.
How the Passwordless Login Method Works
When logging in you will be asked to choose a login method. Click the Email Magic Link button to send the email containing the passwordless login link.
You will now see a message confirming the email has been sent.
In your email inbox, open the Magic Link email and the Login Now button.
And that is it, no entering of a password or two-factor token. This means that once you enable Passowordless Login, you don’t have to know your complicated password or copy and paste an extra code to login. However, those bad guys trying to brute force your site will have a 0% success rate.
Tip #5 – Enable the Debug Menu for Advanced Troubleshooting
There might be times that you are asked by iThemes Security Pro support to enable the debug menu. To enable the Debug menu in iThemes Security Pro, you will need to add the code below to your wp-config.php file.
define( 'ITSEC_DEBUG', true );
Be sure to add the code above the “That’s all happy blogging.” line.
You will now be able to access the Debug menu in iThemes Security Pro.
You can view your System Info, load the configuration of your Settings, view the security events Scheduler, and what emails are getting sent by the Notification Center. The debug troubleshooting tool I want to highlight in this post is the Scheduler.
The Scheduler shows you all of the different scheduled events in iThemes Security Pro. Scheduled events are things like Site Scans, File Change Scans, clearing lockouts, and a whole lot more. What these functions have in common is their need to be scheduled in advance, and they rely on wp-cron to run.
Let’s say that it has come to your attention that File Change scan isn’t running on your website even though you enabled File Change in your security settings. You can enable the debug menu to see if the File Change scan in your list of scheduled events. If it isn’t, this means something went wrong before an event was created. You can resolve this issue by click the ITSEC_Scheduler_Cron Reset button. Resting the cron will force the Scheduler to check the security settings and rebuild the list of scheduled events. Including your missing File Change scans.
The iThemes Security Pro plugin offers excellent protection out of the box, but if you dive into the settings, you will find some really cool security tools. These tools can help add several layers of security to your WordPress login and dashboard, block bad bots, and even make security easier for everyone on your website, including you.