View Categories

Solid Security Recommendations

Solid Security (formerly iThemes Security) is one of your best friends for securing a WordPress site. Even if you use the free version, it helps you take important steps to harden your site.

Under SETTINGS #
  • Features
    • Login Security: enable Two-Factor
    • Firewall -> Ban Users: enable Default Ban List, Ban Lists
    • Firewall -> Local Brute Force: Automatically lock out “admin” user
    • Firewall -> Network Brute Force: Ban Reported IPs
    • Features -> Utilities: Enforce SSL (ON) 
  • User Groups
    • Require strong passwords and refuse compromised passwords
    • Require 2FA for Administrator users
    • Restrict managing Solid Security to Administrator users
  • Advanced
    • System Tweaks: Recommend checking all these boxes
    • WordPress Tweaks: Disable XML-RPC, Login with email address only, Disable extra user archives
    • Hide Backend: Change the login slug!!!
Under TOOLS #
  • Identify Server IPs – RUN
  • Change Database Table Prefix – RUN; this is one of the most important things you can do!
  • Check File Permissions – follow its suggestions and make sure everything in this section is happy!
Preferences #

Here are a couple of personal preference tweaks:

  • Settings-> Global -> Other: Hide Security menu in Admin Bar
  • Settings -> Notifications -> Security Digest: Disable Security Digest
One more thing: user_id=1 #

While iThemes Security (free) used to have an option to change the ID of the first user, that’s now a Solid Security PRO feature. If you don’t have the PRO version, you can accomplish the same thing pretty easily, as long as you have access to more than one email address–or the back-end database.

From phpMyAdmin or other database GUI, simply locate the {wp_prefix}_users table and manually change the ID of user 1. This is only recommended if your site is pretty new and doesn’t yet have a lot of pages/posts. Otherwise. . .

  • Determine if you have a user with ID=1: In the USERS menu, mouse over each user. Look at the link text that pops up at the bottom of your screen if you’re using a PC. OS users, you’ll have to make like you’re editing the user and click on the URL to display it. The portion you’re concerned with is user_id=XX.
  • If that user is NOT you, delete that user, attributing all content to yourself. If need be, create a new user for that person.
  • If that user IS you, create a new all-powerful user for yourself, using a different email address. Then log in as your new user and delete your old user, attributing all content to your new user.

All things considered, when you’re done, there should be no user with ID=1.

Powered by BetterDocs