iThemes Security

Better WP Security is a complete tool that covers all the angles when it comes to WordPress security.

This plugin can aid administrators in fixing all their WP installation's problems, from login issues, to public folders, database backups, and up to the admin username itself.

There's a lot to tweak around with this plugin, providing features, settings, and security trinkets that not many WordPress webmasters know about. Yes, you might be surprised by the level of modifications and obscure bugs this plugins help you fix, but at the end of the day, you'll feel much safer than before installing this plugin.

Installation:

Unpack and upload it to the /wp-content/plugins/ directory.
Activate the plugin through the 'Plugins' menu in WordPress.

Create a backup of you site before installing and using this plugin.

Features:

• Security site scanning tool
• Change WP admin URL
• IP banning
• Ban problematic bots
• Ban problematic user-agents
• Hide login errors
• Remove meta generator tags
• Remove RSD header information
• Remove Windows Live Write header information
• Remove WP version numbers from the code
• Remove update notifications from unauthorized users
• Changes the admin username
• Change admin username ID
• Change site-wide password policy
• Change WP database table prefix
• Change the path/name of the /wp-content folder
• Schedule database backups
• Log admin activity
• Brute force attack protection
• Block filesystem attacks
• Block database attacks
• Block file editing
• Add SSL support
• Multi-site support
• Apache, LiteSpeed, and NGINX support

What is new in this release:

• Enhancements:
• Minor refactoring for performance and scalability.
• Add ITSEC_BACKUP_CRON constant to replace plugin's backup scheduler with wp_cron.
• Add dashboard reminder to salts to prompt for periodic salt changes.
• Limit the number of lockouts that can be displayed at any given time in the dashboard.
• Fixed:
• Make sure header error messages are suppressed when performing a lockout.
• Error message from missing login information when displaying lockouts.

What is new in version 4.6.2:

• Changes WordPress salts.

What is new in version 4.5.10:

• Fixed:
• Typo on file change warning emails.
• Duplicate module listsing on log page dropdown.
• Missing lockouts on iThemes Sync dashboard.

What is new in version 4.5.2:

• New Feature:
• Temporarily whitelist your IP address via iThemes Sync
• Override proxy IP detection
• Hide admin bar (if desired)
• Perform file scan via iThemes Sync
• Perform malware scan via iThemes Sync
• Enhancement:
• Added filter to allow for custom log pages
• Added debug constant to help troubleshoot multiple emails
• Added constant to force digest emails via wp-cron instead of custom timing
• Fixed:
• Various missing variable fixes were added
• MySQL errors on MySQL 5.6 during activation were fixed.
• HTML emails now contain HTML tag
• Lockout count in emails should now be more accurate
• Make sure to esc URLs on SSL redirects (unreported minor security fix)

What is new in version 4.4.20:

• Fixed:
• Make sure php_gid is always defined to prevent error message if the function is not usable.
• Link to BackupBuddy in admin bar will now work correctly.

What is new in version 4.4.13:

• Enhancement:
• Default log rotation changed from 30 days to 14 days
• Fixed:
• All logs page will properly display even with 50,000+ entries in the log

What is new in version 4.4.5:

• Fixed:
• Typos in digest email.
• Typos in default network lockout message.
• Force stylesheet reload for new nags and other items by pushing plugin build number to stylesheet registrations.

What is new in version 4.3.7:

• Numerous typo corrections throughout dashboard
• Clean up notifications for file change detection and malware scanning

What is new in version 4.2.6:

• Fix tweet link
• Minor fixes and cleanup
• Added call to two-factor module

What is new in version 4.1.3:

• Better descriptions on white list
• Add pro table of contents if needed
• Make sure security admin bar item works
• Make sure lockout message only happens when needed
• Suppress errors on readlink calls
• Make sure class is present for permanent ban
• Make sure white list is an array
• Fix white listed IPs not working
• Log when Away-mode is triggered
• Make sure away mode file isn't accidently deleted
• Make sure away mode doesn't even allow access to the login form (as it didn't in 3.x)
• Enhance warnings on "Change content directory" settings
• Better descriptions on white lists
• Fixed XMLRPC label
• Better XMLRPC Dashboard status
• Don't allow logout action on wp-login.php with hide backend
• Better check for variable in SSL admin

What is new in version 4.0.25:

• Make sure backup directory is present before trying to use it
• Make sure backup file method is respected on all backup operations
• Added ability to limit number of backups saved to disk
• Minor typo and other fixes
• Only load front-end classes as needed
• Add link to free support at .org forums

What is new in version 4.0.21:

• Update NGINX comment spam rewrite rules to better work with multi-site domain mapping
• Move 404 hook in hide backend from wp to wp_loaded
• Make sure super-admin role is maintained on multi-site when changing user id 1 and admin username at the same time
• Make sure all redirects for hide backend and ssl are 302, not 301
• Better resetting of SSL and disallow file editor on deactivation to account for more states
• Make sure hide backend works with registration
• Minor copy and other fixes
• Update nginx rewrite rule on comment spam when domain mapping is active
• Added the ability to disable file locking (old behavior)
• Better file lock release (try more than 1 method) before failing
• Don't automatically show file lock error on first attempt

What is new in version 4.0.16:

• Fixed bug preventing file change scanning from advancing when chunked
• Don't autoload file list on non-multisite installations
• Make sure away mode settings transfer from 3.x or disable away mode
• Better descriptions on save buttons

What is new in version 4.0.8:

• Removed error message that could happen on user creation with strong passwords enabled
• Moved strong password js later in execution cycle to prevent errors
• More hide backend tweaks to cover remaining white screen issues

What is new in version 4.0.2:

• Fixed bug in conversion of wildcard IP (ie 131.2.1.*) to proper netmask. Should prevent 500 errors on sites.

What is new in version 3.6.4:

• Removed FooPlugins support box as iThemes begins integration of all support
• Removed InfiniteWP Compatibility

What is new in version 3.6:

• Added WP Security Lock as a partner for sites that have already been compromised.
• Changed social information to iThemes
• Better domain support
• Add username to notification email
• Changed author to iThemes
• Added links to backup buddy and iThemes subscription
• Fixed inconsistent count in logs

What is new in version 3.5.5:

• Minor fixes for strict warnings occurring when on PHP 5.4.
• Fix for lstat error for files in the better-wp-security/backups/ directory.
• Fixed an error that prevented manual filecheck.

What is new in version 3.5.2:

• Fixed error message that could appear when creating backups.

What is new in version 3.4.8:

• Fixed error message that may occur if InfiniteWP is not installed.

What is new in version 3.4.6:

• Updated usability on ban lists.

What is new in version 3.4.3:

• Only clear WP Supercachce when full page cache clearing is required.

What is new in version 3.4.2:

• Gravatars will no longer dissappear after changing user 1 id
• Better cache clearing when changing options
• Reworked away mode for better cache handling
• Subdirectory redirects should now work
• Fixed error message on logout
• Fixed password reset email link
• Will no longer duplicate IPs in ban list when entered via auto-ban
• Minor style updates
• Better namespacing in content.php
• Removed 38.0.0.0/8 from hackrepair.com blacklist

What is new in version 3.2.7:

• Hindi translation.
• Spanish translation.

What is new in version 3.2.6:

• Lithuanian translation
• Fixed bug that could allow blank hosts in .htaccess for ban users
• Removed obsolete translations from before version 3.0
• Fixed various typos
• Numerous minor bug fixes

What is new in version 3.2.5:

• Users can now specify email address for database backups
• Fixed bug throwing error when saving changes to existing users
• Corrected typo in intl hook
• List banned IPs on separate lines for readability
• Replaced all instances of WordPress with WordPress
• Logs no longer show errors when records are cleared while viewing file change details
• File check will no longer automatically enable on servers with low RAM
• An extra database key has been introduced to easily disable file checking if it causes memory errors

What is new in version 3.2.4:

• Password reset form will now require strong passwords if configured
• Ability to automatically blacklist an IP address after a specified number of lockouts
• Various minor bugfixes
• Turning off front-end ssl will stop ssl redirect loops in sites with an existing ssl implementation
• Updated language and explanations for various features
• Updated .pot

What is new in version 3.0.1:

• Now works with NGINX.

What is new in version 2.16:

• Fixed login link in new user email after breaking it in version 2.15.

What is new in version 2.10:

• Added Romanian translation.

What is new in version 2.0:

• Now supported by Bit51.com.
• Removed blocking of http HEAD requests to improve integration with social networking APIs such as Twitter.
• French translation by Claude ALTAYRAC.

What is new in version 1.7:

• Renamed detect 404s section to intrusion detection to include upcoming features.
• General spelling and grammer corrections.
• Moved configuration to network dashboard for multisite installations.
• Improved multisite support.
• Warns if .htaccess or wp-config.php files aren't writable where needed.
• Added icon to menu for easier identification.
• Cleaned up and refined status information.

What is new in version 1.4:

• Fixed another issue that prevented the "htaccess" options page from displaying on some hosts.

What is new in version 1.0:

• More code documentation.
• Added warnings to changing content directory (until I can find a good way to update all existing content).
• Added options to clean old entries out of the database.
• Fixed minor typos throughout.

What is new in version 0.9.BETA:

• Bug fixes.
• Internationalization improvements.

What is new in version 0.8.BETA:

• Fixed more critical bugs.

What is new in version 0.4.BETA:

• Changed the main menu name to "Security".
• Minimum requirement raised to 3.0.2.
• Begun code documentation and intl prep.

What is new in version 0.2.BETA:

• Updated hidebe to handle standard logout links.
• Numerous other bug fixes.

What is new in version 0.1.BETA:

• Finished status reporting.
• Force SSL for admin pages (on supporting servers).
• Change wp-content path.

What is new in version ALPHA 10:

• Added more htaccess security options.
• All .htaccess options have been moved to their own page.
• Added simple intrusion detection based on 404s.
• Bugfixes and code optimization.

What is new in version ALPHA 9:

• Deactivating now removes all htaccess areas and turns off associated options.
• Enforce strong passwords for all users of a given minimum role.
• Minor bug fixes.

What is new in version ALPHA 8:

• Added various .htaccess options to strengthen file security.
• Modified "hide backend" rewrite rules to work with multi-site.
• Removed non-security hide-backend options.
• Various bug fixes.
• Renamed "General" options page to "System Tweaks" to avoid confusion.
• Added more options to clean up WordPress headers.
• Added options to remove plugin notifications from non-super admin users.

What is new in version ALPHA 5:

• Complete refactor of the existing code.
• Divided settings sections for better UX.
• Added htaccess checks.
• Redesigned options system for less database calls.
• Reduced table usage from 4 to 2.
• Added email notifications for login limiter.
• Added complete access blocker for login limiter.

What is new in version ALPHA 4:

• Added login limiter to limit invalid attempts.
• Various bug fixes.

Requirements:

• WordPress 3.7 or higher