Prevent your WordPress website from hackers and malwares in 2019. In this video, we go in depth into configuring WordPress security for 2019.

Video Transcript:

How to Secure Your WordPress Website From Hackers & Attacks with iThemes Security – Tutorial

Hey, What’s up, guys? This is Nayyar Shaikh from And in this video, we’ll see how to secure your WordPress website from different hackers, different attacks or anyone, you know injecting any script or code on your website. And before proceeding make you subscribe to my channel. And also press that bell  icon so that you don’t miss any further videos. So let’s get started.

To do so, go to your dashboard. Hover, appearances and click on add new to add a new plugin. Now here, search for itheme security. This is the one which really be using in this video. This is a free and awesome plugin as you can see it has got more than 800000 active installs and a great rating. Okay. This is my itheme. So just click on this “install now” button. Now activate this plugin. OK, so you’ll see these two messages over here then just cut both of these. Now the left hand side, you will see a new bar or which says security.

Just click on security. First, it will do a security check. So just click on the secure site button. Now, they’ll ask you for your e-mail. So, just put in your e-mail address over here and click on activate Network Brute Force Protection. We’ll see what this is later on. Now make sure you have all these green tick marks all year. Now click on close button. So, we have done with security check. Next one is global settings. Click on configure settings. Here are their different options. Let’s see one by one.

First one is to allow this plugin to write codes on our wp-config and htaccess file. So, make sure this is stick marked. Next one is Notification Email as you can see at present your email is over here. This is the email where you receive alerts when someone is trying to hack your website or when someone is attacking your website. If you want to enter more email address, more than one email address, you can just enter them on next line. Third one is Send Digest Email. So, basically what does this mean. If you take mark this thing which I recommend doing, you will receive one email address. So, someone is attacking your website. Suppose, 3 or 4 person have tried to attack to your website. So, you won’t be getting four or five email per day. What will happen is they will digest. They will make one particular email and send you that. So that is very useful.

Here is the Backup Delivery Email. So, make sure you put more than one email address that would be fine. So what does this mean by the way is this particular means that they will back up your database and sent you on this particular email very important. If suppose tomorrow someone attacks a website and deletes all the data, you can use this database file and you will be able to recover most of the things. Then your are different lockout messages. Make sure you don’t need to change anything or you’re OK.

Next one is Blacklist Repeat Offender. Make sure this is enable if this box is checked or it is enable, the IP address of the offending computer will be added to the banned users blacklist. After reaching the number of listed below. As you can see the number of lockouts. 3 lockout of if that IP address has reached three lockouts. He will be automatically added to the banned users list.

And as you can see the next one is Blacklist Lockout Period. How many days should a lockout be remember to meet the blacklist count above? So, we will see seven days. So within seven days if anyone tries to attack your website, three times and they get a lockout for three times. They will be added to the ban user list and make sure just you don’t need to change this thing. You can read what this is. The length of time my host I usually will be banned from this site after hitting the limit of bad log in.

So after hitting the limit of banned log in, they will be banned for 15 minutes. Now hear what you have to do you have to click on this button. It will automatically add your IP to the whitelist.

That is very important so that you don’t get locked out of key which is very important if you’re using your website from different places. Make sure you put in all those IP addresses where you’re in the white list. I won’t click this because I don’t want anyone to know my IP address.  But if you want to just click on this button, your IP address will automatically come up here and rest everything is fine just scroll down to the bottom. And click on these safe settings.

And remember, we are doing only the most important steps over here. So, we won’t be seeing all the settings over here. We’ll see only the most important things which are required. The most of the things are already done by this particular plugin. So, you don’t need to change everything.

Next one is 404 detection. This is also important so we will enable these and click on configure settings to see what these particular means. This particular means that suppose someone is trying to visit a page or to a file which doesn’t exist on your we site. That trigger says that someone is trying to attack on our website and looking for the file. So, that they can do something bad, something dirty with that file. So, this is the setting for that. So minutes so remember 404 error. S,o a number of minutes in which 404 should be remembered and counted towards lockout. So, five minutes. Within five minutes if they received 20 errors, they will be added or that IP address will be added to the ban user list. I recommend you to reduce this to maybe five. So within five minutes if someone has received 5, 404 errors, they’ll be added to the ban user list. Okay, Now click on save settings.

Away Mode. Let’s see what this is first enable this. Click on configure setting. So, basically what does this mean. Suppose you know for the fact that you won’t be visiting or using your dashboard from maybe 1a.m. to 6a.m.. So what you can do you can enable this away mode. So, even if you want to visit or even if you want to log into a dashboard, you won’t be able to do that. If you know for a fact then you can do though I wont enable it. I will disable it because at present, it is 1:30 and I’m recording this really,1:30 A.M.. So this is not for me but for most of you guys this is the one. Just click on Save Setting but I’ll disable this.

Now here is the Band Users. Let’s click on configure setting. Now you just have to do one thing. Just tick Mark over here, Enable Hack Repair blacklist feature. So basically this particular website has a blacklist feature so we want to enable those features. Everything is fine. Just click on save settings.

Next is Database Backups. Click on configure settings. Here, what you have to do is make sure your backup method is only email. If you want to save it locally and email, you can select this. I will select only email. I want to receive my database only on my email so that will be fine.

Backup to Retain. Make sure it is 0 backups because if you make it know 5,10 whatever then your database will be saved to your server. For example if you’re using host data, they will save in host data sever. Which is not a good thing. Okay. It increases the file size, the server size and so on. But if you want if you don’t care about that then you can increase that. I would recommend you to keep this to zero. Make sure this is tick mark, zip database backups so that it will reduce the size and will get one single file as if file.

Now here is the Scheduled Database backup. Enable this. Now you will see what is the interval for the database. For example. I want to my database to be mailed every seven days, so I put seven. This basically depends on how often you make changes to your website. For example, every seven days I write a new blog, i type on new blog. So I’ll put in seven days. Click on Save Settings.

Now come to this Local Brute Force Protection and click on configure setting. In this option, we are limiting the number of times, a user or a person can log into your website. For example, if we do not do any changes over here then by default WordPress, doesn’t have an upper limit or a threshold for that. For example, if someone comes and they start typing some username, some password. If they are doing that wrong four hundred times, still they won’t be locked out. OK so they can go on and on and on and they can. Ultimately, there are chances that they may come to and they may be able to logging to your website and they may change some files that would be very bad.

So, we are putting the upper limit to that for example, Max logging attempt per host. So, We are seeing only five attempts. After five failed attempts, he should be added to the Ban Userlist. Max logging attempts per user, 10 attempts. Max minutes to remember bad login, five minutes. So this is fine.

If you want to enable, In fact, I would recommend you to enable this one which will automatically ban anyone who is trying to log in into your website using the admin username. Make sure you don’t have admin username which is very dangerous. If you have changed your user name, that would be very useful.  This is very useful, make sure this is tick mark so that you know we know someone is trying to log in into our dashboard, using this particular username and they will be banned automatically. Click on Save Settings.

Coming to Network Brute Force Protection and click on configure settings. The previous setting which we saw was local brute force and it is network brute force. So, it is very useful actually. If you have API key and you will have an API key because we entered our email address. Suppose, a person or an IP address has tried to attack a website, my friends or any website, who is using and that website is itheme. So that IP address has been added to blacklist on that person’s website. But that person will automatically be added on this website also because we have formed a network. And suppose someone attacked my website then that person IP address will go to that network and that IP address won’t be able to attack someone else’s website who’s using itheme.

So this is very important. So we don’t have to do any changes over here. I just thought I should tell you what this thing is actually. Now click on save settings.

Coming to WordPress Salts, click on configure settings and check this box. If you see your WordPress config file, you’ll have a code over there, WordPress Salt code. So basically we are setting a code in a very difficult to remember code. For example such as this password such as this. So we are placing this code. So you know, it is very difficult for anyone to come to this combination of alphabet and numbers. It will be difficult for anyone who is trying to attack our website and click on save settings.

Once you go to save settings you will be logged out and in fact anyone who is logged in into your website will be logged out. If suppose you have you use your website to make changes on your office, in your office, then in your office also you will be logged out. So this is very important.

That even if someone has logged in into our website then they will be logged out. Now click on log in. Now again scroll down and go through security. You can also over here where you have both the options. Okay, guys so these were all the basic settings. We are done with basic settings.

Now click on this at advance tab. And we will be doing the most important, according to me, the most important setting now. Which is to hide the backend. Now just click on this configure settings. Now first let me explain what this means.

For example, any website, any WordPress website by default has this wp-admin as the dashboard. For example, if I have to go to your dashboard, if you have a website xyz so I’ll go to I will go to your dashboard that means I’ll go to the log in page and if I can successfully log in. Then I will be able to login the your dashboard. Now what we want is we want to hide this info.

After we hide these what will happen, now after we hide wp admin. Now anyone who is trying to put any They will see a 404 page or a page not found. That page is not found. By this if you link that setting which we did 404 detection. Both will link and it will be very useful because if someone is again and again trying to visit that website that page. We know for sure that he is trying to attack our website. And we also hide our backend which is very very important.

Just tick mark this which says enable the hide back and feature. Now, you have to change the log in slug for example wp-admin. What you want instead of wp-admin? For example,  I want to use nayyers777123456. Make sure you write it somewhere so that you yourself don’t forget this. So make sure you just write it somewhere. That will be really helpful.

Now here is the Enable Redirection. So as I said to you earlier when someone will go to this particular page, wp-admin, they will be redirected to a 404, page not found page. Click on Save settings.

Now. Guys these were the most important settings. And by doing this, you have secured your website to a very great extent. And I hope this video was helpful to you. If it was helpful then make sure you subscribe to my channel and also press on that bell icon. Thanks a lot for watching.

Here Are Some Additional WordPress Related FAQs

10 WordPress Tips to Make Your Website Secure
  1. Choose a Good Hosting Company. The simplest way to keep your site secure is to go with a hosting provider who provides multiple layers of security.
  2. Don’t Use Nulled Themes.
  3. Install a WordPress Security Plugin.
  4. Use a Strong Password.
  5. Disable File Editing.
  6. Install SSL Certificate.
  7. Change your WP-login URL.
  8. Limit Login Attempts.
Which WordPress Security Plugin is Best for You?
  • For the best value – Sucuri Security, SecuPress, Jetpack, iThemes Security, or Shield Security.
  • If you want a free WordPress security plugin – All In One WP Security & Firewall, Sucuri Security (free version,) or Wordfence Security.

No plugin is 100% safe. But you can significantly reduce WordPress plugin vulnerabilities by learning to assess and select quality plugins before installing them. Pick plugins only from reputed marketplaces like CodeCanyon, the WordPress Plugin repository, or third-party stores that you trust.

Hackers aren’t getting in due to vulnerabilities in the latest WordPress core software. Rather, most sites get hacked from entirely preventable issues, like not keeping things updated or using insecure passwords. If WordPress is secure when you follow best practices, so you know if your website will be safe.

In a separate post, Google outlined the following six ways that websites get hacked by spammers:
  • Compromised passwords.
  • Missing security updates.
  • Insecure themes and plugins.
  • Social engineering.
  • Security policy holes.
  • Data leaks.

WordPress is safe as much as you make it safe. So you can’t expect WordPress to be 100% secureWordPress release security update regularly whenever there is a security bug and security update applied on your website automatically. Also, there is a lot of FREE plugins that helps to make your website safe.

All verification process is accomplished through an automated process. Single Domain SSL Certificate starts at $4.95 per year price. Wildcard SSL Certificate: A Wildcard SSL Certificate is the best products to protects unlimited subdomains hosted on a single website.

Anything can be hacked. While HTML is safe against 99% of attacks, if someone gets root access to your server they can put whatever they want in the pages. Can hackers “hack” a static html website? If you define HTML as HTML / CSS, then the answer is NO!

After all – we care about your site’s security as well!
  1. Back Up Your Website.
  2. Implement Your SSL Certificate.
  3. Add HTTPS to the WordPress Admin Area.
  4. Update the Site Address.
  5. Change Links in Your Content and Templates.
  6. Implement 301 Redirects in .htaccess.
  7. Test and Go Live.
  8. Update Your Site Environment.
Paid SSL Certificates

To equip a website with these certificates, one must pay for it. A paid certificate is issued and signed by a trustworthy certificate authority (CA). As far as the level of encryption is concerned, a free SSL certificate provides the same level of encryption as a paid one.

No Comments

Be the first to start a conversation

Leave a Reply

  • (will not be published)