Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
iThemes Security Configuration

Table of Contents

  • Settings
    • [Global] (#global)
    • [404 Detection] (#404)
    • [Away Mode] (#away)
    • [Banned Users] (#banned)
    • [Brute Force Protection] (#brute)
    • [Backup DB] (#backupdb)
    • [File Change Detection] (#files)
    • [Hide Login] (#hidelogin)
    • [Malware Scanning] (#malware)
    • [Secure Sockets Layer] (#ssl)
    • [Strong Passwords] (#passwords)
    • [System Tweaks] (#system)
    • [WordPress Tweaks] (#wordpress)
  • [Advanced Settings] (#advanced)

Close any and all dialogs, warnings, or nags opened by iThemes Security.


Click “Save All Changes” after each section


  • Check: Write to Files
  • Notification Email: change to
  • Backup Delivery Email: change to
  • Whitelist IP Address
    • Click the “Add my current IP to Whitelist” button
  • Whitelist range
    • Copy the IP address
    • Paste it in the box
    • Replace last number with * - Don't remove the last period
    • Example result: 75.149.220.*
  • Uncheck: Email Lockout Notifications
  • Log Type: change to “Both”
  • Check: Add InfiniteWP Compatibility
  • Check: Allow Data Tracking

404 Detection

  • Check: Enable 404 Detection

Away Mode

Skip this section

Banned Userse

  • Check: Default Blacklist
  • Check: Ban Users

Brute Force Protection

  • Get your iThemes Brute Force Protection API key: enter “
  • Check: Enable local brute force protection
  • Check: Automatically ban "admin" user

Database Backups

Skip this section

File Change Detection

  • Check: File Change Detection
  • Check: Split File Scanning
  • Uncheck: Email File Change Notification

Hide Login Area

Skip this section

Malware Scanning

Skip this section

Secure Socket Layers

Skip this sectionm unless you have an SSL certificate.

Strong Passwords

  • Check: Strong passwords
  • Select role for strong passwords: change to “Subscriber”

System Tweaks

  • Check: all except “Remove File Writing Permissions”

WordPress Tweaks

  • Check: all except “File Editor”
  • XML-RPC: change to “Completely Disable XML-RPC”
  • Multiple Auth XLM-RPC: change to "Block"


Admin User

If there is a user named "admin", create a replacement user with administrator privileges, then log in as that user and delete the "admin" user. Assign all content to the new administrator user.

WordPress Salts

Change the WordPress salts before launching a site or after migrating the site to a new host.

Change Content Directory

Skip this for now.

Change Database Prefix

If the current database table prefix is "wp_", check the "Change Table Prefix" checkbox and click the "Change Database Prefix" button.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment