WordPress security is being a biggest market ever in online marketing space when thousands of websites are cracked down each day due to vulnerable security issue and website owners are to pass very crucial time in providing extra security layer for their most popular website or business blog costing huge money for their business.

Today I will discuss WordPress security vulnerabilities, how to understand your Website is hacked and a complete setup procedure of a famous WordPress security suite iThemes Security Pro. Let’s begin…

Vulnerabilities of WordPress Security

WordPress websites face number of potential and highly targeted vulnerabilities that are today biggest issue for website owners to run a WordPress site without trouble. To all of us in common sense we think changing “admin” as username and choosing a strong password can protect our site in many ways. Apparently it’s true that choosing strong password is a big deal but in terms of ensuring a whole security layer for WordPress site only a strong password can’t help a lot indeed.

Following the potential WordPress vulnerabilities

  • Server vulnerabilities
  • Theme security
  • Plugin security
  • File permissions
  • Securing specific files (like wp-admin and wp-config and wp-includes)
  • Database security
  • Computer vulnerabilities
  • FTP vulnerabilities
  • and more

The above mentioned vulnerabilities can’t be fixed with a single plugin or service provider but in a combination of recommended products and services a WordPress site can be made sure 100% secured and safe from all kinds of potential attacks.

And it’s a goal for website owners who think for real online business to protect their sites from all kinds of potential vulnerabilities by any means.

So today I will walk you out through understanding WordPress site hacking and reducing your WordPress vulnerabilities by installing a recommended WordPress security tool “iThemes Security Pro.”

How to Understand if Your Site is being Hacked?

Understanding whether your site is being hacked or not is a biggest deal to you since you’re in a space where website hacking is a common phenomena. There are few certain activities that can ensure you will always be updated with the latest events of your website especially regarding unusual activities like website hacking.

Following are quite few ways you can measure your website’s health

  • Google Webmaster Tools: GWT is the best place to start out searching vulnerabilities of your WordPress site through advanced search console dashboard. If your site is in potential attack then immediately Google will warn you and display a message in your Search console mailbox in addition you will get that message sent to your Gmail account.
  • Sucuri Sitecheck: Sucuri Sitecheck is a free service to scan your entire WordPress site to check potential vulnerabilities of your site. If you scan your site with Sucuri free plan then you may not get notifications of critical problems and errors that you will get from Sucuri paid plan. So it’s recommended to go through Sucuri paid plan to get real time notifications of your site health. Sucuri can give you heads up for website malware, spam injections, defacing or blacklisting.
  • CodeGuard: CodeGaurd is a time machine for your WordPress site that is a fantastic and more reliable website backup – which track all of your changes daily. Try CodeGuard with free trial.
  • Google Alerts: Google alerts can provide free services to head you up scheduled alerts with the aid of Google analytics tool for website activities and potential vulnerabilities of your WordPress site. This tutorial better explains how to use Google analytics and alerts together to monitor your Website latest events and activities.

So we have learned about potential WordPress security vulnerabilities and how to understand whether your site is being hacked or not. Now I will show you up a complete setting up tutorials for a famous WordPress security tool “iThemes Security Pro”

As the name suggests it’s a full version of iThemes security, though you can follow this tutorial if you run a free version except Pro features.

iThemes Security Pro

iThemes security(formerly Better WP Security) is one of the most popular WordPress security plugins in the market today which offers 30+ ways to secure and protect your WordPress site from attacks. To date iThemes Security receives 4.7 out of 5 ratings with 7M+ active installs.

iTemes security - formerly better WP Security

Install and Activate

iThemes Security comes with both free and paid version. If you think for business then it’s recommended that you go for paid version for enabling extra security layer across your WordPress site with multiple security settings. If money is a concern then go for free version.

Anyway for tutorial purpose I will show how to install and activate Pro version of iThemes security in WordPress site.

First of all go to iThemes.com/security and download iThemes Security choosing a preferred plan

After buying iThemes Security Pro you need to activate license for your website with iThemes Sync Standard. To activate license simply click on “Licensing” and choose “Setup 10 Sites for Free”

Licensed sites

Now you can buy iThemes Sync Standar (10 sites) with $0.00. After buying you will receive a welcome message from iThemes allowing you to login your Sync dashboard.

Login to your iThemes Sync account and add your current WordPress site to iThemes Sync. You can add maximum 10 sites in iThemes Sync for free.

Add a site

Now download iThemes Security Pro from Downloads section. After that login to your WordPress account, install and activate the plugin with regular WordPress plugin installation method.

iThemes Security Download

The very first step is to activate the licensing option for iThemes Security Pro. To activate license navigate Settings −> iThemes Licensing

Now select your iThemes products and click on “License Products” button. After licensing product you will see Expiration of each product with Product status.

Licensed products

After that head to Security −> Dashboard and click on “Secure Your Site Now.” There are four important steps you need to take action before setting up iThemes Security.

Important First Step

Important first step

Backup Your Site: Before to get started with iThemes security it’s recommended to backup your database

Allow File Updats: iThemes Security requires to write up on wp-config.php and .htaccess files. So before to give those rights you should allow file updates. Click on “Allow file updates” button

Secure Your Site: This is a default setting that can not conflict with other plugins or themes.

Help Us Improve: iThemes Security Pro would like to collect anonymous date about features you use to help improve this plugin. Press, Yes, I’d like to help button.

Finally click “Dismiss” to get back to the Security Dashboard panel


iThemes Security pro dashboard

Don’t Lock Yourself Out

iThemes security is very strong to secure your WordPress site from all the potential spam attacks that come from website users or hackers. It doesn’t care who you are, if it detects any unusual activity even from Website administrator it will lock you out.

This can be troublesome on sites with existing errors like admin lockout and you had to take action such as removing plugin files from your WordPress Plugins directory through File Manager on server-end.

So if you don’t want to get yourself into serious technical trouble like this then whitelist your IP by clicking on Temporarily Whitelist my IP for 24 hours.

Getting Started

In Getting started guide you will watch a quick walk-through video about iThemes security pro installation and setup documentations. Also if you have any question regarding iThemes products you can get help by clicking on “Get Help Now” button

Security Status

Security Status check

Security Status section represents your site’s High risks, Medium risks, and Low risks points where you must take action like fixing issues by clicking on Fix it button.

High Priority

  • XML-RPC requests can try multiple authentication attempts per request. Attackers can use this to speed up their brute force attacks.
  • Malware scanning is not scheduled to run automatically.
  • You are not allowing two-factor authentication

So the above mention activities must be done in order to keep your site safe (as it’s now under risk) of very potential attacks.

By clicking on Fix it button you can fix every critical issue individually in “Settings” section

Medium Priority

  • Your website is not protected against bots looking for known vulnerabilities. Consider turning on 404 protection.
  • Your login area is partially protected from brute force attacks. We recommend you use both network and local blocking for full security.
  • Your WordPress Dashboard is using the default addresses. This can make a brute force attack much easier.

The above mentioned security signals are performed in your site as Medium priority tasks and these are displayed in a yellow highlighted zone meaning that these are imperative to fix to enable strong security coating across your site.

Low Priority

In Low Priority section you will see handful of tasks that are less responsible of causing critical issues across your site. But it’s strongly recommended that you fix each and every issue very carefully because your site’s security is a big concern after all.


iThemes Security Pro Settings copy


Global Settings

Global settings are the initial security settings of iThemes Security that controls your site’s unethical login attempts through locking out process. In Global settings you mostly take actions in Notification Email, Blacklist Lookback Period, Lockout Period, Lockout White List etc.

404 Detection

404 detection looks at a user (possible hacker) who is hitting a large number of non-existing pages and getting a large number of 404 errors.

Away Mode

Your site normally remains active login for 24 hours unless you activate Away Mode feature. This setting will allow you to disable access to the WordPress Dashboard for the specified period. In addition to limiting exposure to attackers this could also be useful to disable site access based on a schedule for classroom or other reasons.

Brute Force Protection

If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attack, known as a brute force attack, is something that WordPress is acutely susceptible by default as the system doesn’t care how many attempts a user makes to login.

By enabling this feature your site will be safe from unwanted brute force attacks

Hide Login Area

Enable this to hide the login page (wp-login.php, wp-admin, admin and login) making it harder to find by automated attacks and making it easier for users unfamiliar with the WordPress platform.

Malware Scanning

iThemes Malware scanning is powered by Sucuri Sitecheck. It checks for known malware, blacklisting status, website errors, and out-of-date software.

Strong Password

Force users to use strong passwords as rated by the WordPress password meter.

System Tweaks

These are advanced settings that may be utilized to further strengthen the security of your WordPress site.

Advanced Settings

iThemes Security Pro advanced

Admin User

This feature will improve the security of your WordPress installation by removing common user attributes that can be used to target your site.

WordPress Salts

A secret key makes your site harder to hack and access by adding random elements to the password.

Change Content Directory

Changing the name of the Content Directory on a site that already has images and other content referencing it will break your site. For this reason, it is highly recommended that you only change the Content Directory on a fresh WordPress install.

Change Database Prefix

WordPress assigns the prefix “wp” to all tables in the database where your content, users, and objects exist. This is also a vulnerable point of any WordPress. By enabling this setting you can generate a new database table prefix.



iThemes Security Pro copy

These are the pro features that only included in iThemes Security Pro, which contains some most advanced site security layer especially Malware Scan Scheduling, WordPress Password Expiration, Google reCAPTCHA, Two-Factor Authentication, and User Logging.

If you don’t have a pro version then use this link to download iThemes Security Pro

Malware Scan Scheduling

Protect your site with automated malware scans. When this feature is enabled, the site will be automatically scanned each day. If a problem is found, an email can be sent to select users.

Privilege Escalation

Enabling this feature will allow administrators to temporarily grant extra access to a user of the site for a specified period of time.

WordPress Passwords

Use this option to strengthen the passwords users use to log in to your site.



Protect your site from bots by verifying that the person submitting comments or logging in is indeed human.

Two-Factor Authentication

Two factor Authentication

To allow users to log in with two-factor authentication, enable one or more two-factor providers. Once at least one two-factor provider is enabled, users can configure two-factor authentication from their profile.



By clicking on this button you will be taken to iThemes Backup plugin Backup Buddy. If you use iThemes Security then it’s highly recommended to use also BackupBuddy to ensure your site’s full backup and database backup scheduling.


In this section you will see various security log information regarding Don’t Lock Yourself Out, Security log Data and Log Summary. If you want you can clear logs anytime.


To get instant help from iThemes Security expert team you can easily create a support ticket by clicking on “Create a support ticket” button or get Hack repair service from Sucuri and iThemes recommended hack repair partner to get things back in order.


WordPress security is indeed a big concern to many people who are in internet marketing space and do maintain number of websites and blogs for their businesses. Hackers are unstoppable and they’re damn terror to vulnerable WordPress sites that can be easily cracked down by some simple steps of hacking procedures.

After having countless WordPress security services and security experts in our industry still many people can’t have a calm and peaceful sleep for a night for their most beloved website or blog. We know how hard to stop hacking attempts made by hackers to a million dollar worth website when on average, 30,000 new websites are hacked each day.

iThemes Security Pro can be your ultimate solution of getting away of all kinds of hacking attempts made by hackers. This security tool never causes any downtime issue across site and it’s a handy WordPress security suite of any time.

Let me know your thoughts about iThemes Security Pro, I would be happy to know your positive feedback about this product.

Ahmed Shawan

Ahmed Shawan is a passionate blogger, WordPress enthusiast, digital marketer. He is the top author and founder of TheWildBlogger.com

Comments are closed.