WordPress sites are attacked by hackers every day. Many sites fall prey to hackers simply because they’re not secure enough. They don’t have enough to protect them. Some only have simple protection that hackers have little trouble getting around. Many sites have weak passwords, obsolete software with security holes, and plugin vulnerabilities. According to iThemes, an average of 30,000 new sites are hacked per day.
Website security is not something you want to play around with. A website with weak security can do a lot of damage to your business, reputation, and your readers and customers. To protect your site from hackers, it’s best to plug up the holes, strengthen your site against specific types of attacks, and strengthen user credentials. iThemes Security plugin does that and more. In fact, it’s one of the most comprehensive and feature-rich security plugins available, which is why we featured it in our list of the best WordPress security plugins. It’s available in both a free and premium edition. Let’s take a look, shall we?
Overview
iThemes Security touts itself as the #1 security plugin for WordPress. Big claim, but with over 30 features to protect your site, iThemes puts its money where its mouth is. And users agree, giving it a rating of 4.7 out of 5 with downloads approaching 4 million.
To get a better understanding of its features, I took the plugin for a test drive. I installed the free edition on a test site. Here is what installing it looks like. Next we’ll take a look at the dashboard.
Installation and Setup
After the install, you’re given several options. The first option is to protect your site by taking it to the next level with iThemes Brute Force Network Protection.
Secure Your Site Now
Clicking the button to secure your site now gives you a popup with several choices.
Choices include:
- Back Up Your Site – back up your database before securing your site. Includes posts, pages, comments, and user information. For media files, themes, and plugins you’ll want to use BackupBuddy.
- Allow File Updates – automatically updates your wp-config.php and .htaccess files
- Secure Your Site – enables default settings that do not conflict with your plugins and themes
- Help Us Improve – allows iThemes to collect anonymous data about what features you use to help improve the plugin’s features.
Click each one. When it’s complete it will take you to the dashboard.
The Dashboard
There are several features on the dashboard. Here’s the rundown:
Don’t Lock Yourself Out
The plugin tries to keep strange activity from happening on your site. If it detects anything it doesn’t like, it will lock you out. You can get around this if there are issues with your site that you need to work on. Clicking Temporarily Whitelist my IP will white list your IP from lockouts for 24 hours. You can still be locked out if your IP changes.
Getting Started
This section includes a 3-minute video that shows you how to secure your site using iThemes Security plugin. It gives a quick-start guide of the basic settings.
This section also includes an option to get expert help or upgrade to the pro edition.
Security Status
The security status of all of your items are shown by their priority that includes high, medium, and low. Each task has a fix it button. I used it on a test site to see what the tasks were. These were highlighted in red. Here is the run-down:
High Priority
- Your site is not performing any scheduled database backups
- Malware scanning is not enabled
Clicking the first one took me to the scheduled backup section in the settings screen where I could turn on scheduled settings and choose the interval (3 days was default).
Clicking the second button took me to the malware scanning settings in the settings screen. Clicking this one asked me for an API key. To get this key simply visit VirusTotal and set up a free account.
Medium Priority
- Your website is not protected against bots looking for known vulnerabilities. Consider turning on 404 protection.
- Your login area is partially protected from brute force attacks. We recommend you use both network and local blocking for full security.
- Your WordPress Dashboard is using the default addresses. This can make a brute force attack much easier.
- You are not protecting common WordPress files from access. Click here to protect WordPress files.
- XML-RPC is available on your WordPress installation. Attackers can use this feature to attack your site. Click here to disable access to XML-RPC.
- Users can execute PHP from the uploads folder.
This is a short list of the medium priority tasks. They were highlighted in yellow. Clicking on the fix it button for each one took me to the settings where I could enable it and make any adjustments I wanted. Some were advanced settings.
Next was Low Priority followed by System Information which included information about the database, server, PHP version, and more.
Settings
Settings include:
- Global
- 404 Detection – locks out someone that gets too many 404 pages (possible hackers)
- Away Mode – disable access to the dashboard during times you don’t use it
- Banned Users
- Brute Force Protection – bans users after too many failed login attempts (I got a notice of this happening within minutes of turning this plugin on)
- Database Backups – schedules backups to email and any other location you choose
- File Change Detection – This is a form of file integrity monitoring that lets you know when changes have been made
- Hide Login Area – hides the login page from automated attacks and simplifies login
- Malware Scanning
- SSL – you choose which pages run SSL
- Strong Passwords – forces users to have strong passwords
- System Tweaks
- WordPress Tweaks
Advanced Settings
Advanced settings include:
- Admin User – removes common attributes
- Change Content Directory – makes it more difficult for hackers to find problems
- Change Database Prefix – makes it harder for scripts to find your database
Backups
This is where you can create backups or change the settings for your backups. You can also learn about using BackupBuddy.
Logs
This will show you all of the activity that the plugin has detected. It includes work that you’ve done such as backups and malware scans, activities by other users, invalid login attempts, and much more.
Help
Help is more than just a few documents to read. It includes:
- Community support from WordPress.org
- Support & Pro Features with iThemes Security Pro
- Have a Pro Secure Your Site
- Hack Repair
Thoughts on Using iThemes Security
Setting it up and getting started was fast and easy. You can get it up and running by simply clicking the default settings button. I chose the default settings and only had to make adjustments as I clicked “Fix It” in the high and medium priority issues. There are LOTS of features and settings so you can tweak it pretty much any way you want to.
The most impressive part to me is that everything I’ve covered so far is in the free edition. So now let’s take some time to look at the Pro edition.
Pro
The Pro edition adds even more features to this already feature-rich plugin. Here’s a list of Pro features:
- User Action Logging – track when users login, logout, or edit content
- 2-Factor Authentication – use Google Authenticator or Authy to send a custom code to your phone for logging in
- Import/Export Settings – great for setting up multiple WordPress sites
- Malware Scanning – set up schedules for scanning
- Password Expiration – have users passwords expire based on time
- Generate Strong Passwords – generate strong passwords from the profile screen
- Dashboard Widget – manage tasks from the WordPress dashboard.
- Online File Comparison – it will scan changed files to determine if the change was malicious
- Temporary Privilege Escalation – give someone temporary admin or editor access to your site. It will automatically reset itself.
- wp-cli Integration – manage security from the command line
- Google reCAPTCHA
They are currently working on expanding the feature-set for the Pro edition, too. One feature is Geo-IP banning. This will let you block IP’s by country if you’re getting lots of spam and brute force attacks from a specific country. You can view and discuss plans for upcoming features on their public Trello board. Other features they are showing on their Trello board are:
- Settings Migration
- Plugin and Theme Blacklist
- Use alternative domain for WordPress dashboard
- Federated Authentication
- Sleep Mode
Pricing
There are several pricing options available.
- Personal – $80 and gives you 2 licenses. This is a good choice for personal websites.
- Business – is $100 and gives you 10 licenses. This is a good choice for multiple business sites.
- Developer – is $150 and gives you unlimited licenses. This is perfect for designers and developers.
- Plugin Suite – is $247 and gives you the Developer license for all 20 of iThemes plugins.
Tutorials
There are several tutorials on video to help get your started and make the adjustments you want:
Alternatives – How Does It Compare To Other Security Plugins?
iThemes Security has a lot of great features, but it also has the potential to cause problems for your site because it makes significant changes to your database and other site files. Make a backup first. That being said, I used it on several test sites and didn’t have a single problem. If you’re not keen on taking the (possibly small) risk, here are some alternatives you might want to consider:
Wordfence Security
This is a free plugin with a rating of 4.9 and over 4 million downloads. It is one of the most popular security plugins, and with good reason. It has tons of features that include:
- Falcon Engine, which speeds up your website by 50x.
- Support for major plugins.
- Real-time blocking.
- Scans for Heartbleed vulnerability.
- Cache modes with management features.
- Enforce strong passwords.
- Scans core files, plugins, and themes.
- Includes a firewall.
- Blocks malicious networks.
- Checks for file changes.
- Scans for known malware signatures.
- Scans for known backdoors.
- Login security.
There is a premium edition that adds more features, including:
- Advanced spam filtering
- Two Factor Authentication sign in
- Country blocking
- Scheduled scans
- Premium support
- And more.
It costs from $3.90 to $39 per year, depending on the number of sites you use it on.
How It Compares
Rather than working from a single intuitive dashboard, each of the features are set up independently in different options screens. It does have a lot of features, but each of the features are found in independent menus, making them feel like different plugins.
BulletProof Security
This one is also available in both a free and premium edition. It has a rating of 4.8 and has almost 1.5 million downloads. It protects from over 100,000 different types of attacks. It includes brute force login blocking, database backups (both manual and scheduled), firewalls to protect .htaccess, security logging, table prefix changing, and more. You can also change the look with skins if you want.
Most of the higher-level features of this plugin are found in the premium edition. It includes:
- AutoRestore Intrusion Detection & Prevention System (IDPS)
- Quarantine Intrusion Detection & Prevention System (IDPS)
- Real-time File Monitor (IDPS)
- DB Monitor Intrusion Detection System (IDS)
- DB Diff Tool – data comparison tool
- DB Backup – Manual and Scheduled
- DB Status & Info – extensive database status & info
- Plugin Firewall (True IP Based Firewall)
- JTC Anti-Spam / Anti-Hacker
- Uploads Folder Anti-Exploit Guard (UAEG)
- FrontEnd/BackEnd Maintenance Mode
- Pro Tools – 16 mini-plugins
This is only a small sampling of its features. It costs $59.95 and includes unlimited installations, updates for life, and free technical support.
How It Compares
BulletProof Security has a dashboard where everything can be accessed in one place. However, setting it up can be a tedious process. There isn’t a simple click to run button. Everything has to be set up independently. Everything looks and works fine once you’ve gone through the readme files and cleared out all of the alerts. One feature I liked was the notes tab, where you can keep track of changes you make including changes to your .htaccess code.
All in One WP Security & Firewall
This free plugin has a rating of 4.9 with over 600k downloads. It applies security to user accounts, user logins, registration, database, .htaccess and wp-config.php backup and restore, blacklist, firewall, brute force attacks, spam, front-end text copy, and more. It will do a WhoIs lookup so you have detailed information about a suspicious IP. It has a security scanner that will scan files that have changes and it will scan your database tables for suspicious code.
How It Compares
Each of the features are accessed through menus which have their own dashboards. One thing I like is that the primary security features are turned on at installation so you don’t have to go in and turn everything on independently. It doesn’t have as many features, but the features it does have work really well. It gives you a score for each feature that shows you the strength of your site for that feature.
Centrora
This free plugin has a rating of 4.4 with just over 100k downloads. It is a modification of OSE Firewall Security. It includes a malware and security scanner that detects security risks, malicious code, spam, viruses, SQL injections, and vulnerabilities. It includes IP management so you can block suspicious IP’s. The antivirus scanner will look for known security threats, backdoors, trojans, suspicious code, and more.
How It Compares
It installs two plugins: Centrora Security and Centrora Security Badge (this one displays the security badge on your site). Unfortunately, it gave me a fatal error on two different websites. It is evidently not compatible with the latest version of WordPress.
Wrapping Up
iThemes Security is one of the best and most feature-rich plugins to easily secure your WordPress site. While it’s not possible to achieve 100% security online, using iThemes Security plugin will eliminate most threats. It has some of the best features available in a security plugin. Setting it up is easy and using it is intuitive. I tried it with several themes and plugin configurations and had no issues with it.
Have you tried iThemes Security plugin? Do you use one of these alternatives? Did I leave out your favorite security plugin? I’d like to hear your thoughts in the comments below!
Article thumbnail image by Tarchyshnik Andrei /Â shutterstock.comÂ
I’ve used both iThemes Security Pro and Wordfence (free). I see people comment about the rating of iThemes Security. The biggest problem I’ve seen is the attitude of some webmasters. They want a set it and forget it type of solution. They want to install a security plugin, expect it do everything, and all is fine.
When it comes to security, the webmaster needs to be involved. There’s no one size fits all solution. It’s very possible any security plugin will break a plugin on your site, all depending on what’s done and how the plugin is designed. I had iThemes Security break a plugin. It was the fault of the plugin designer. They were calling a WordPress function using an outdated method. Since the plugin was no longer being developed, I searched the plugin code and edited it myself.
This is where the webmaster needs to first, backup the files and database (takes a whole of five minutes). Then, make notes as they make changes. Depending on the plugins and settings things may need to be tweaked. However, I consider it well worth my time to tweak the settings to have my site secure and have a sense of peace of mind.
I set up iThemes after reading the blogs on Elegant themes about it. I was disappointed. It did some kind of upgrade or change and I had to disable to plugin to be able to log in to my site. I am disappointed as I had intended to buy the plugin and others from iThemes. Very disappointed.
Oh, I guess I was not the only one that happened. I did not even realize that which plugins caused block my account.
Did you contact with the iThemes to solve the problem?
I found an issue with iTheme Security plugin. It hides the wordpress default error messages when you enter a wrong password inside login screen.
Looking for a fix!
This plugin works very well. It does just exactly what it was designed to do. Thanks for this wonderful post.
Recently shifted from All in One WP Security to iTheme, The best security I ever Used. Waiting for the GeoIP blocking feature
Worth to buy
Hi.
Just installed iThemes Security to test.
I can still log in, but I can not access my Network anymore! What the heck?
In the forums there are no tread for this plugin, and even I posted a question to the forums it did not appear ..
Not a very good first impression I have to say.
Eddie, web developer from Norway
Personally, I feel like iThemes and most other security plugins like it are great tools if you can install them first thing on a new WP site. Adding them to an existing site with a lot of content and is just asking for trouble.
Great Info! I just decided to use iThemes earlier this week after doing some research on security plugins…
I see alot of good reports on WordFence coupled with iThemes I might try this…
Thanks for the in-depth review.Right now,Using All in One WP Security & Firewall plugin.I will install ithemes security plugin asap! Thanks again
iThemes seems quite comprehensive. Wordfence has been a reliable fallback for us when iThemes creates a server conflict. For example, we had to disable iThemes for a client using Bluehost’s Premium WordPress hosting solution, which is a VPS with Varnish. Even with the default configuration, iThemes caused problems on this hosting platform. We are running iThemes for clients hosted elsewhere.
HI there
I have tried using this plugin but it keeps giving internal server error 505 or 509 everyday, after backup or something.
Not sure why or how its doing it , but its definitely related to its own file change detection and doesnt allow me to change things when needed, so basicly ruining “dynamic site” uselfullness
Great post.
I use iThemes Security ( better WP security) and Wordfence on all my sites, they run fine together as long as you know which plugin is dealing with what, along with IQ Block Country and securing file permissions on the server, my sites are pretty well locked down.
Studying the changes made by these plugins, its pretty easy to follow through what they are doing to secure your site.
Knowing your .htaccess is number 1 place to begin securing your website as well as getting yourself out of trouble when it goes wrong due to a security plugin.
Also, check your database tables before and after installing security plugins, so you know what’s happening there and as always, if you are doing it live, for goodness sake, back up first, files and database. You can never be too safe.
I also run non-default upload directories as well as login pages where possible for added security as well as database suffix and 2 factor auth, so so important!
Nice review, Brenda! You hit most of the major players with great explanations. I’ve tried iTheme Security, Wordfence, and Bulletproof and like them all for different reasons. iTheme is the easiest to set up. Wordfence seems to do a good job – I get lots of notifications of blocked hosts & Ips, Bulletproof was harder to setup but I feel secure with it and have it running on my main review site. On client sites I use iTheme, and so far so good. Lots of blocked hackers.
I’m using the plugin IQ Block Country on one site that was getting bombarded by an Italian IP – normally seems like most hack attempts come from China & Russia. Time will tell if this plugin is working.
Nice job… from a fellow Huntington Beacher!
Bob
We use iTemes Security (ex Better WP Security) on all our websites and it works fine. Recommended plugin.
It’s complete information reviewing this security plugin. I’m so interest with changing url admin feature. However, one issue that still occurs is conflict with a jetpack plugin.
I would love to see a security plugin which re-sets it’s changes when you deactivate it.
I once used a very multi-featured-security plugin and it was nearly not possible to get rid of it, as the admin of the page was lost totally and so the plugin was of no use
I use WordFence but I notice a lot of memory use, which slows down the admin work
you did not mention the security steps which you can do without a plugin:
– some options in wpconfig.php
– password protect wp-admin-directory
– using .htaccess etc.
– file attributes
these steps do work and I think it is of lower risk to use them instead of relying on such a monster-plugin which you cannot dominate / understand / maintain …
Thanks for the summary Brenda – good job.
I had to stop using Wordfence Prof. version on my website hosted at Dreamhost. It demanded so much memory that my site kept going offline for ten or 15 minutes a few times a day. That didn’t happen initially, but when combined with W3 Total Cache, which Dreamhost recommended I stop using, and a large site and database, the overhead became unacceptable. Bulletproof Security felt like it required an advanced degree in computer security and forensics.
Then I tried iThemes Security and quickly upgraded to the pro version. First of all, it get an A+ for usability. Configuration is akin to taking a guided tour. It’s very easy. iThemes also made it easy for me to export settings from one site to another. I do use VaultPress (mentioned above) but only for backups. BackupBuddy is my choice for redundant backups. Additionally its backups work nicely with ServerPress for desktop experimentation and staging.
Note that iThemes strongly suggests that it can break an already established website. That didn’t happen to me because I brought it online only a few steps at a time over the course of a few days. I recommend it highly. Also note that Wordfence’s 2-factor security is by way of text messaging. iThemes uses the Google Authenticator app, which is more convenient in my opinion. A drawback is that they don’t provide a recovery method such as backup codes, just a workaround. You need to have a backup administrative account without 2-factor enabled in case you lose your mobile device. I hope they improve that soon. It also helps to record your setup auth. code in the app so you can quickly re-enable 2-factor accounts on a new advice without starting over from scratch. I recommend doing that with all Google Authenticator accounts.
Wordfence has a nice caching feature but iThemes has more features. Too bad these two giants don’t just work together to create one plugin that does it all.
iThemes is good as long as you run everything on a system where you know how to restore backups without going to the wp-admin area. Serious problems can lock you out of the admin area. We secure over 150 WordPress sites on our dedicated server and use a combination of iThemes and Wordfence. They seem to play well together.
Even with both of these plugins running we have seen over 40,000 attempts from the same IP to access the wp-login.php. This has been changed by iThemes, in turn sending them to a 404 page. The 404 throttle / block in Wordfence does not seem to mitigate these IP’s for some reason. The same is true for iThemes.
Hostgator gave us a double login feature technique. It requires some work but this did not seem to work completely either.
If we could just find a WordPress plugin that works as well as cPHulk for WHM / Cpanel it would be great. cPHulk simply blocks failed attempts and puts the IP on the ban list for the time we specify.
“use a combination of iThemes and Wordfence. They seem to play well together.”
Very interesting! Do you mean it’s possible and useful to install both?
BTW, is there side-by-side comparison of both plugins?
Thanks,
Vitaly
This interests me. I tried Wordfence, but it requires a decent amount of memory available to run on the installation which can be a stopping factor for many sites.
I use a lot of iThemes tools and I wish I could like their Security plugin, but I can’t. Every site I put it on I run into conflicts and it’s just not worth the hassle (read: risk) to use it.
I’ve used the free and premium versions of WordFence and it works nicely. I see a bit of a load time hit if I turn on certain features in WordFence, and their implementation of two-factor authentication is just dreadful.
I’m managing over 30 sites right now and am using BruteProtect and Clef for security. One of the perks of Clef is I can completely remove the username and password fields from the login screen. It sure minimizes hacking attempts if there’s no login fields.
Thanks for the in-depth review. FYI, iThemes is running a 40% off sale through the end of the day.
Same as above – I usually recommend my clients to use Sucuri for paid solutions. As the free ones – I try to stay away from security plugins as I’ve seen them doing more bad things than good ones.
There is other player as well – VaultPress does a combination of malicious scanning and backups.
iThemes Security is pretty good on the surface, but they did have a recent hack where they admitted to using plain text passwords on their site. (See here for more details: https://ithemes.com/2014/09/25/update-2-security-update-for-ithemes-customers/)
It really made me question how seriously they take security with the fact that it took them nearly two months to resolve some of those issues on their OWN site.
Adobe/Sony/HomeDepot/Target/Walmart/TheListGoesOn have all been hacked. Did you stop using them?
I stopped using Adobe, but not only because of security. Their software keeps getting worse and they have new competitors that keeps getting better (Pixelmator, Acorn, Affinity Designer, Sketch, Sketchbook Pro) for much, much cheaper.
Affinity looks cool. I wonder if they’ll eventually release a version for computers?
I followed that whole thing closely and still feel very comfortable using them. The plain text passwords was unrelated to this plugin and according to them was the result of using a third party for managing their memberships or something to that affect. It did not dissuade me in the least from using their products.
Exactly! Plane Text passwords have been a huge no no for as far back as I can remember. (although I can’t remember what I did yesterday lol)
I use iThemes Security Pro on all live sites, works very well.
Hi Brenda
Looks like the ultimate WordPress security post – much appreciated.
“iThemes Security has a lot of great features, but it also has the potential to cause problems for your site because it makes significant changes to your database and other site files.”
That’s what stops me using these security plugins – I use the Sucuri paid version plus a couple of security plugins..
Also notice that WordFence has a rating of 4.9 compared to iThemes rating of 4.7 and that site files backup for iThemes is via BackupBuddy.