iThemes Security recently released a plugin update which may be causing some concerns. First, the update has added a field to settings for daily digest messages, and this field is checked by default. Second, there’s an alert on your WordPress dashboard telling you to get an API key for the Brute Force Network Protection.
iThemes Security Daily Digest Emails
When you set up iThemes Security (especially if you followed my tutorial) you probably turned off the Enable Email Lockout Notifications feature because it was annoying getting 10 emails a day telling you that the plugin is working.
However, suddenly after updating to version 4.4.2, you are getting the emails again, this time in Daily Digest mode.
With version 4.4.2, a new feature was added under Settings > Global Settings. It’s called Send digest email. And when you upgrade to the latest version, it’s automatically activated by default.
While I see the value of just sending one notice per day instead of 10, I still don’t want to see these kinds of emails every day. I periodically review the security logs for my site, and I quite frankly get enough other email.
To disable this, just go to your WordPress dashboard, click on Security, then Settings and then look in Global Settings at the beginning of the section. Uncheck the box for Send digest email and then Save All Changes.
iThemes Brute Force Network Protection
If you recently updated your iThemes Security plugin to version 4.4.2 you have probably seen the following message.
This is a notification that the plugin as added a new feature. In the past, it has looked for IP addresses making too many attempts to login to your website. This is good, because many hackers try to login into your website thousands of times using password variations to try and break in. If someone tries & fails to login too many times, the plugin locks them out.
- If you have multiple sites using this plugin and you get yourself locked out from too many login attempts, you will be locked out of your other sites.
- This lockout is different from the 404 lockout, so if you get 404’d out of your site you will not trip this system.
- The length of the lockout depends on an algorithm which uses how many sites you’ve been locked out of as a variable. So you probably won’t be locked out for long if you just forgot your password. Moral of the story: use the password reset if you forget your password.
This new Brute Force Network Protection is designed to take that a step further. If you get an API key and setup the network, then if someone gets locked out of your site, they will be locked out of all sites on the network. Obviously, this has the advantage of blocking hackers from thousands of sites at once.
To take advantage of this new feature, just click on the “Get Free API Key” button. If you dismissed the notification, but would like to enable the feature, go to Security > Settings > Brute Force Protection.
Look for the Get your iThemes Brute Force Protection API Key section.
Just enter your email address and click on Save All Settings. That’s it, your API key will be automatically installed on your site and you’ll receive an email notification.
Note: If you have multiple sites, you will need to perform this entering of email address and clicking on save for each site.
iThemes is clearly showing that they are interested in keeping our sites safe by adding new features. While not all of the features may be welcome (like the daily digest automatically set to send), it is nice to know they care.