Skip to content

Instantly share code, notes, and snippets.

@slushman

slushman/themes-security-config.md

Created May 2, 2016 15:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save slushman/9d4ec665dfb344a6bb72639fd32f6d59 to your computer and use it in GitHub Desktop.
Save slushman/9d4ec665dfb344a6bb72639fd32f6d59 to your computer and use it in GitHub Desktop.
Download ZIP
iThemes Security Configuration
Raw
themes-security-config.md

Table of Contents

  • Settings
    • [Global] (#global)
    • [404 Detection] (#404)
    • [Away Mode] (#away)
    • [Banned Users] (#banned)
    • [Brute Force Protection] (#brute)
    • [Backup DB] (#backupdb)
    • [File Change Detection] (#files)
    • [Hide Login] (#hidelogin)
    • [Malware Scanning] (#malware)
    • [Secure Sockets Layer] (#ssl)
    • [Strong Passwords] (#passwords)
    • [System Tweaks] (#system)
    • [WordPress Tweaks] (#wordpress)
  • [Advanced Settings] (#advanced)

Close any and all dialogs, warnings, or nags opened by iThemes Security.

Settings

Click “Save All Changes” after each section

Global

  • Check: Write to Files
  • Notification Email: change to web@dccmarketing.com
  • Backup Delivery Email: change to web@dccmarketing.com
  • Whitelist IP Address
    • Click the “Add my current IP to Whitelist” button
  • Whitelist range
    • Copy the IP address
    • Paste it in the box
    • Replace last number with * - Don't remove the last period
    • Example result: 75.149.220.*
  • Uncheck: Email Lockout Notifications
  • Log Type: change to “Both”
  • Check: Add InfiniteWP Compatibility
  • Check: Allow Data Tracking

404 Detection

  • Check: Enable 404 Detection

Away Mode

Skip this section

Banned Userse

  • Check: Default Blacklist
  • Check: Ban Users

Brute Force Protection

  • Get your iThemes Brute Force Protection API key: enter “web@dccmarketing.com
  • Check: Enable local brute force protection
  • Check: Automatically ban "admin" user

Database Backups

Skip this section

File Change Detection

  • Check: File Change Detection
  • Check: Split File Scanning
  • Uncheck: Email File Change Notification

Hide Login Area

Skip this section

Malware Scanning

Skip this section

Secure Socket Layers

Skip this sectionm unless you have an SSL certificate.

Strong Passwords

  • Check: Strong passwords
  • Select role for strong passwords: change to “Subscriber”

System Tweaks

  • Check: all except “Remove File Writing Permissions”

WordPress Tweaks

  • Check: all except “File Editor”
  • XML-RPC: change to “Completely Disable XML-RPC”
  • Multiple Auth XLM-RPC: change to "Block"

Advanced

Admin User

If there is a user named "admin", create a replacement user with administrator privileges, then log in as that user and delete the "admin" user. Assign all content to the new administrator user.

WordPress Salts

Change the WordPress salts before launching a site or after migrating the site to a new host.

Change Content Directory

Skip this for now.

Change Database Prefix

If the current database table prefix is "wp_", check the "Change Table Prefix" checkbox and click the "Change Database Prefix" button.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment