Everything You Need To Know About The iThemes Security Plugin
WordPress sites are attacked by hackers every day. Many sites fall prey to hackers simply because they’re not secure enough. They don’t have enough to protect them. Some only have simple protection that hackers have little trouble getting around. Many sites have weak passwords, obsolete software with security holes, and plugin vulnerabilities. According to iThemes, an average of 30,000 new sites are hacked per day.
Website security is not something you want to play around with. A website with weak security can do a lot of damage to your business, reputation, and your readers and customers. To protect your site from hackers, it’s best to plug up the holes, strengthen your site against specific types of attacks, and strengthen user credentials. iThemes Security plugin does that and more. In fact, it’s one of the most comprehensive and feature-rich security plugins available. It’s available in both a free and premium edition. Let’s take a look, shall we?
iThemes Security touts itself as the #1 security plugin for WordPress. Big claim, but with over 30 features to protect your site, iThemes puts its money where its mouth is. And users agree, giving it a rating of 4.7 out of 5 with downloads approaching 4 million.
To get a better understanding of its features, I took the plugin for a test drive. I installed the free edition on a test site. Here is what installing it looks like. Next we’ll take a look at the dashboard.
Installation and Setup
After the install, you’re given several options. The first option is to protect your site by taking it to the next level with iThemes Brute Force Network Protection.
Secure Your Site Now
Clicking the button to secure your site now gives you a popup with several choices.
- Back Up Your Site – back up your database before securing your site. Includes posts, pages, comments, and user information. For media files, themes, and plugins you’ll want to use BackupBuddy.
- Allow File Updates – automatically updates your wp-config.php and .htaccess files
- Secure Your Site – enables default settings that do not conflict with your plugins and themes
- Help Us Improve – allows iThemes to collect anonymous data about what features you use to help improve the plugin’s features.
Click each one. When it’s complete it will take you to the dashboard.
There are several features on the dashboard. Here’s the rundown:
Don’t Lock Yourself Out
The plugin tries to keep strange activity from happening on your site. If it detects anything it doesn’t like, it will lock you out. You can get around this if there are issues with your site that you need to work on. Clicking Temporarily Whitelist my IP will white list your IP from lockouts for 24 hours. You can still be locked out if your IP changes.
This section includes a 3-minute video that shows you how to secure your site using iThemes Security plugin. It gives a quick-start guide of the basic settings.
This section also includes an option to get expert help or upgrade to the pro edition.
The security status of all of your items are shown by their priority that includes high, medium, and low. Each task has a fix it button. I used it on a test site to see what the tasks were. These were highlighted in red. Here is the run-down:
- Your site is not performing any scheduled database backups
- Malware scanning is not enabled
Clicking the first one took me to the scheduled backup section in the settings screen where I could turn on scheduled settings and choose the interval (3 days was default).
Clicking the second button took me to the malware scanning settings in the settings screen. Clicking this one asked me for an API key. To get this key simply visit VirusTotal and set up a free account.
- Your website is not protected against bots looking for known vulnerabilities. Consider turning on 404 protection.
- Your login area is partially protected from brute force attacks. We recommend you use both network and local blocking for full security.
- Your WordPress Dashboard is using the default addresses. This can make a brute force attack much easier.
- You are not protecting common WordPress files from access. Click here to protect WordPress files.
- XML-RPC is available on your WordPress installation. Attackers can use this feature to attack your site. Click here to disable access to XML-RPC.
- Users can execute PHP from the uploads folder.
This is a short list of the medium priority tasks. They were highlighted in yellow. Clicking on the fix it button for each one took me to the settings where I could enable it and make any adjustments I wanted. Some were advanced settings.
Next was Low Priority followed by System Information which included information about the database, server, PHP version, and more.
- 404 Detection – locks out someone that gets too many 404 pages (possible hackers)
- Away Mode – disable access to the dashboard during times you don’t use it
- Banned Users
- Brute Force Protection – bans users after too many failed login attempts (I got a notice of this happening within minutes of turning this plugin on)
- Database Backups – schedules backups to email and any other location you choose
- File Change Detection – lets you know when changes have been made
- Hide Login Area – hides the login page from automated attacks and simplifies login
- Malware Scanning
- SSL – you choose which pages run SSL
- Strong Passwords – forces users to have strong passwords
- System Tweaks
- WordPress Tweaks
Advanced settings include:
- Admin User – removes common attributes
- Change Content Directory – makes it more difficult for hackers to find problems
- Change Database Prefix – makes it harder for scripts to find your database
This is where you can create backups or change the settings for your backups. You can also learn about using BackupBuddy.
This will show you all of the activity that the plugin has detected. It includes work that you’ve done such as backups and malware scans, activities by other users, invalid login attempts, and much more.
Help is more than just a few documents to read. It includes:
- Community support from WordPress.org
- Support & Pro Features with iThemes Security Pro
- Have a Pro Secure Your Site
- Hack Repair
Thoughts on Using iThemes Security
Setting it up and getting started was fast and easy. You can get it up and running by simply clicking the default settings button. I chose the default settings and only had to make adjustments as I clicked “Fix It” in the high and medium priority issues. There are LOTS of features and settings so you can tweak it pretty much any way you want to.
The most impressive part to me is that everything I’ve covered so far is in the free edition. So now let’s take some time to look at the Pro edition.
The Pro edition adds even more features to this already feature-rich plugin. Here’s a list of Pro features:
- User Action Logging – track when users login, logout, or edit content
- 2-Factor Authentication – use Google Authenticator or Authy to send a custom code to your phone for logging in
- Import/Export Settings – great for setting up multiple WordPress sites
- Malware Scanning – set up schedules for scanning
- Password Expiration – have users passwords expire based on time
- Generate Strong Passwords – generate strong passwords from the profile screen
- Dashboard Widget – manage tasks from the WordPress dashboard.
- Online File Comparison – it will scan changed files to determine if the change was malicious
- Temporary Privilege Escalation – give someone temporary admin or editor access to your site. It will automatically reset itself.
- wp-cli Integration – manage security from the command line
- Google reCAPTCHA
They are currently working on expanding the feature-set for the Pro edition, too. One feature is Geo-IP banning. This will let you block IP’s by country if you’re getting lots of spam and brute force attacks from a specific country. You can view and discuss plans for upcoming features on their public Trello board. Other features they are showing on their Trello board are:
- Settings Migration
- Plugin and Theme Blacklist
- Use alternative domain for WordPress dashboard
- Federated Authentication
- Sleep Mode
There are several pricing options available.
- Personal – $80 and gives you 2 licenses. This is a good choice for personal websites.
- Business – is $100 and gives you 10 licenses. This is a good choice for multiple business sites.
- Developer – is $150 and gives you unlimited licenses. This is perfect for designers and developers.
- Plugin Suite – is $247 and gives you the Developer license for all 20 of iThemes plugins.
There are several tutorials on video to help get your started and make the adjustments you want:
Alternatives – How Does It Compare To Other Security Plugins?
iThemes Security has a lot of great features, but it also has the potential to cause problems for your site because it makes significant changes to your database and other site files. Make a backup first. That being said, I used it on several test sites and didn’t have a single problem. If you’re not keen on taking the (possibly small) risk, here are some alternatives you might want to consider:
This is a free plugin with a rating of 4.9 and over 4 million downloads. It is one of the most popular security plugins, and with good reason. It has tons of features that include:
- Falcon Engine, which speeds up your website by 50x.
- Support for major plugins.
- Real-time blocking.
- Scans for Heartbleed vulnerability.
- Cache modes with management features.
- Enforce strong passwords.
- Scans core files, plugins, and themes.
- Includes a firewall.
- Blocks malicious networks.
- Checks for file changes.
- Scans for known malware signatures.
- Scans for known backdoors.
- Login security.
There is a premium edition that adds more features, including:
- Advanced spam filtering
- Two Factor Authentication sign in
- Country blocking
- Scheduled scans
- Premium support
- And more.
It costs from $3.90 to $39 per year, depending on the number of sites you use it on.
How It Compares
Rather than working from a single intuitive dashboard, each of the features are set up independently in different options screens. It does have a lot of features, but each of the features are found in independent menus, making them feel like different plugins.
This one is also available in both a free and premium edition. It has a rating of 4.8 and has almost 1.5 million downloads. It protects from over 100,000 different types of attacks. It includes brute force login blocking, database backups (both manual and scheduled), firewalls to protect .htaccess, security logging, table prefix changing, and more. You can also change the look with skins if you want.
Most of the higher-level features of this plugin are found in the premium edition. It includes:
- AutoRestore Intrusion Detection & Prevention System (IDPS)
- Quarantine Intrusion Detection & Prevention System (IDPS)
- Real-time File Monitor (IDPS)
- DB Monitor Intrusion Detection System (IDS)
- DB Diff Tool – data comparison tool
- DB Backup – Manual and Scheduled
- DB Status & Info – extensive database status & info
- Plugin Firewall (True IP Based Firewall)
- JTC Anti-Spam / Anti-Hacker
- Uploads Folder Anti-Exploit Guard (UAEG)
- FrontEnd/BackEnd Maintenance Mode
- Pro Tools – 16 mini-plugins
This is only a small sampling of its features. It costs $59.95 and includes unlimited installations, updates for life, and free technical support.
How It Compares
BulletProof Security has a dashboard where everything can be accessed in one place. However, setting it up can be a tedious process. There isn’t a simple click to run button. Everything has to be set up independently. Everything looks and works fine once you’ve gone through the readme files and cleared out all of the alerts. One feature I liked was the notes tab, where you can keep track of changes you make including changes to your .htaccess code.
This free plugin has a rating of 4.9 with over 600k downloads. It applies security to user accounts, user logins, registration, database, .htaccess and wp-config.php backup and restore, blacklist, firewall, brute force attacks, spam, front-end text copy, and more. It will do a WhoIs lookup so you have detailed information about a suspicious IP. It has a security scanner that will scan files that have changes and it will scan your database tables for suspicious code.
How It Compares
Each of the features are accessed through menus which have their own dashboards. One thing I like is that the primary security features are turned on at installation so you don’t have to go in and turn everything on independently. It doesn’t have as many features, but the features it does have work really well. It gives you a score for each feature that shows you the strength of your site for that feature.
This free plugin has a rating of 4.4 with just over 100k downloads. It is a modification of OSE Firewall Security. It includes a malware and security scanner that detects security risks, malicious code, spam, viruses, SQL injections, and vulnerabilities. It includes IP management so you can block suspicious IP’s. The antivirus scanner will look for known security threats, backdoors, trojans, suspicious code, and more.
How It Compares
It installs two plugins: Centrora Security and Centrora Security Badge (this one displays the security badge on your site). Unfortunately, it gave me a fatal error on two different websites. It is evidently not compatible with the latest version of WordPress.
iThemes Security is one of the best and most feature-rich plugins to easily secure your WordPress site. While it’s not possible to achieve 100% security online, using iThemes Security plugin will eliminate most threats. It has some of the best features available in a security plugin. Setting it up is easy and using it is intuitive. I tried it with several themes and plugin configurations and had no issues with it.
Have you tried iThemes Security plugin? Do you use one of these alternatives? Did I leave out your favorite security plugin? I’d like to hear your thoughts in the comments below!
Article thumbnail image by Tarchyshnik Andrei / shutterstock.com