If something is important to you it is worth protecting. If that something is the website being subjected to unlimited hack attempts or nefarious attacks, it’s vital that some form of protection is used – and that’s what the iThemes security plugin is all about. If that website represents your brand, your business or livelihood, then, it becomes critical to make sure it is 100% protected.

For WordPress users, there are multiple options for locking down your website. The four main protagonists are iThemes Security, WordFence, Sucuri and All in One WP Security. All do much the same thing in slightly different ways.

Today we are reviewing the iThemes Security plugin.

What is the iThemes Security Plugin?

The iThemes Security plugin is the brainchild of Cory Miller, the former journalist turned entrepreneur. He founded iThemes to develop tools to help web designers create elegant WordPress themes and to train new developers. The company then expanded into hosting, backups, security and other tools designed to help the millions of people who use WordPress.

WordPress is a very accomplished Content Management System (CMS) that powers around a third of the internet. It does many things very well and is improving all the time. It is also a huge undertaking and contains many facets.

One thing WordPress doesn’t do too well at is security. Hosting a website using WordPress is easy but unless you take steps to secure that website, it is also easy to hack.

It’s not that it is inherently not secure, it’s that the sheer enormity of the industry makes it lucrative for easy pickings.

That’s where plugins like iThemes Security come in. They bolt onto WordPress to add extra protection features. In this case, a raft of security features designed to make WordPress much more secure and much more difficult to hack.

iThemes Security basic dashboard

Main features

iThemes Security comes in two flavors, the free version of iThemes Security and Pro which is a premium plugin. Both offer a range of features.

iThemes Security provides:

  • A basic security check to assess existing vulnerabilities.
  • Blacklists for banned users and IP addresses to stop hacking bots.
  • Backups and database syncing tools in case the worst happens.
  • Brute force detection to stop dictionary hacks.
  • File change detection in case something gets through.
  • 404 and exploit detection to stop hackers scanning your site for vulnerable pages.
  • Password configuration and salting to make passwords more secure.
  • SSL and system tweaking to improve site performance and force secure connections to the WordPress dashboard.

iThemes Security Pro includes the above and adds:

  • Malware scanning to make sure no malicious code gets through.
  • Two-factor authentication for seriously good security.
  • Version management so you can check files have not been replaced.
  • Import and export tools to copy security settings from one website to another.
  • reCAPTCHA integration to stop bots emailing you or logging in.
  • User security checking tools for effective user management.

There is a good balance struck with iThemes Security.

Quite often, free versions of apps or plugins are barebones attempts to convince you to upgrade to the premium version.

That is not true here.

The free version offers a credible range of security tools that will secure your WordPress website. The premium version offers even more tools that can add extra layers of security to WordPress.

Brute Force Network Protection

Installing and setting it up

Installing iThemes Security is very straightforward. If you have ever installed a WordPress plugin before, the same process applies here.

We first need to perform a full backup before adding the plugin. iThemes Security makes some database changes and while rare, issues can arise from any change to the WordPress database so it is much better to be safe than sorry!

  1. Perform a backup of your WordPress site using your default backup tool.
  2. Log into your WordPress dashboard and navigate to Plugins.
  3. Select Add New and type or paste ‘iThemes Security’ into the box.
  4. Select Install and then Activate the plugin.

Security check

Configuring for WordPress Security

Once downloaded and installed, you will be presented with an extra menu item in the left menu pane.

Select Security to access iThemes Security.

You will be presented with the option to enable Brute Force Network Protection. We suggest entering your email address into the box to get the API key to enable this option. It’s free and just requires your email.

Brute force attacks are common as software bots can perform relentless attacks for very little investment. Your web host can offer some level of protection from brute force attacks but it pays to add your own defensive layer.

Once done, you are presented with the iThemes Security check-up page. This is a comprehensive routine that performs many of the basic checks necessary to assess the vulnerability of your website. Allow the plugin to perform the check and make the suggested changes.

Pro Configuration options


Once you have finished the initial setup and security check, you will be presented with the main iThemes Security dashboard.

There is a lot to take in here but don’t worry too much. Each section has a brief description and a set of defaults. You can set each to Enable using those defaults before you dive into configuring everything manually.

We would suggest enabling all protections using default settings and then investigate each option, in turn, to make sure it works for you.

There is a lot to check but we strongly suggest investing the time going through all of the options. Not only will you then know exactly what this plugin is doing but also what default settings might not work in your particular situation.

Unless you have paid for iThemes Security Pro, the bottom half of the screen will be greyed out. That’s normal. Once you subscribe, those options become available and will offer their own defaults to enable, or not, depending on your needs.

Local brute force detection

Securing your website

While every website is different, the plugin does a good job of including universal settings in the initial setup. That way you get maximum protection with the minimum of effort. You can then configure them further as you see fit.

To secure your WordPress website, we suggest the following:

  1. Acquire the API for Brute Force Network Protection and enable it.
  2. Perform the Security Check and allow all recommended options.
  3. Enable 404 Detection to prevent the scanning of your site for vulnerable pages.
  4. Enable Away Mode if you want to lock down your WordPress dashboard except for specific times of day.
  5. Enable Banned Users to begin creating an IP blacklist of scans and hack attempts.
  6. Enable Database Backups only if you don’t already have a backup solution enabled.
  7. Enable File Change Detection to alert you to any unauthorized changes to files.
  8. Enable File Permissions to lock down access to certain file types.
  9. Enable Local Brute Force Protection to stop hackers trying to log in.
  10. Enable Brute Force Network Protection as discussed earlier.
  11. Enable Password Requirements to enforce minimum password standards for logged in users.
  12. Enable SSL to force browsers to use SSL connections whenever logging into your website.
  13. Enable System Tweaks to benefit from some basic changes to server-side configurations.
  14. Enable WordPress Salts to add random characters to all passwords for an extra layer of protection.
  15. Enable WordPress Tweaks to change how WordPress behaves in some situations.

If you’re using iThemes Security Pro you have some extra options to enhance the security of your website.

  1. Enable Magic Links to allow logged in users to request email password resets.
  2. Enable Malware Scan Scheduling to periodically scan your installation for malware.
  3. Enable Privilege escalation to allow time-limited administrator powers to certain users.
  4. Enable reCAPTCHA to add a Captcha to logins, comments and other interactions to prevent spam.
  5. Enable Settings Import and Export to copy security settings to another website using the plugin.
  6. Enable Two-Factor Authentication for the (current) best security there is.
  7. Enable User Security Check to check users for vulnerable settings or passwords.
  8. Enable User Logging to track actions of every logged in user on your site.
  9. Enable Version Management for auditing and content management.

Even if you just enable the default features and do nothing else, you significantly enhance the security of your website. Whether you have suffered hacks in the past or not, your website is now as secure as it is possible to be while using WordPress.

Pros and Cons

There are both positives about iThemes Security and some negatives. It’s only fair to highlight them both here.


The positives about iThemes Security include:

Ease of use – Once installed, the default settings provide an excellent level of security without having to spend hours configuring settings.

Free version is full of features – It makes a nice change to see a free plugin deliver comprehensive features.

Defense in depth – It offers a range of measures at different levels of WordPress to protect it from threats.

Protects from within as well as from without – Many WordPress security plugins do a good job protecting you from internet threats but not so good with internal ones. This plugin offers many safeguards from logged in users as well which is a significant benefit.

Salting – Password salting is a minor security function but a very useful one. Alongside minimum password quality enforcement, salting goes a long way to protect logged in users.


The negative aspects of using the plugin can include:

Overwhelming amount of options – While the defaults are fine for most users, there is a huge amount of information to take in and decisions to potentially be made. Few users will likely go past default settings.

File Change Detection and User Logging can slow things down – Enabling both of these functions can slow down the WordPress dashboard significantly. While it won’t affect website performance, some stuttering or lag can be experienced by logged in users.

Pro is pricey – There is no escaping the fact that iThemes Security Pro is expensive. I count this as a con even though I would thoroughly recommend everyone use Pro.


iThemes Security pricing

That last con of using iThemes Security brings us nicely to pricing. If you decide that the free version of the plugin isn’t enough and you want to use some of the more advanced, and arguably, more powerful security features, you need to pay.

Currently, there are three pricing structures for iThemes Security. They are Blogger, Freelancer, and Gold.

Blogger allows you to protect a single website and includes one year of updates and ten sync sites for Settings Import and Export. There is also one year of ticketed support. It costs $80 per year.

Freelancer allows you to protect up to ten websites and includes ticket support, a year of updates and 10 sync sites for Settings Import and Export. Freelancer costs $127 per year.

Gold allows you to protect an unlimited number of websites and offers the same ticketed support, updated and sync sites as Blogger and Freelancer. Gold costs $197 per year.

While $80 per year may seem a lot, if you put your heart and soul into your website, how much is too much in order to protect it? If you’re running a business website, that becomes even more true as hacks and downtime can impact reputations as well as users.

What we like

So what’s to like about using iThemes Security? The things we like are similar to the pros list above. We like that any user of any skill level can quickly secure their WordPress website. We like that those of us who are more experienced can dive into individual settings and have granular control over how our website is secured. We also like how the free version offers a credible security option for the majority of users.

The dashboard is very straightforward and easy to get to grips with. The initial security check is also a great idea that screens the user from the potential minutiae that could put them off using it. It is clear that a lot of thought has gone into how iThemes Security works as well as how much protection it offers. It is accessible, simple to set up and takes care of itself. Psychologically that’s a big win for users and lowers the barrier to entry significantly.

What we don’t like

What I have found most surprising about iThemes Security is that the negatives are very few and even then, are more picky than anything. I don’t like having to surrender my email address in order to get an API key even if it does offer strong protection against brute force attacks. We understand there is a server overhead to contend with for this feature but it may prevent some people from using it.

We also don’t like it when file logging slows down the dashboard. While the lag is minor, it does detract from the experience.

Finally, lots of the features included within the plugin are for community websites with registered users. It would be nice if the plugin was modular so if you’re just running a business or hobby website, you don’t need all of those services installed.

Wordfence dashboard

Alternatives to iThemes Security

We mentioned at the top that there were four main players in the WordPress security market, iThemes Security, WordFence, Sucuri and All in One WP Security.

So how does iThemes Security compare to these others?

If you’re looking for a more comprehensive review and a number of other alternatives you might want to look at the following post: 10+ Best WordPress Security Plugins compared (Free + Premium) – CollectiveRay – it’s a detailed deep dive into a number of plugins, including all 3 plugins mentioned below together with iThemes and how they compare to each other.

iThemes Security vs WordFence

WordFence is one of the most popular WordPress security plugins out there and for good reason, it is very effective at what it does. WordFence takes a lot of the hard work out of security and automates it. Unlike iThemes Security, there is a slight delay in page loading as a result. When PageSpeed is such a significant SEO factor, that’s not good enough.

iThemes Security vs Sucuri

Sucuri is another popular security plugin and offers many of the same features as iThemes Security. It is also straightforward to configure, automates many core functions and offers both a free and premium version. Unforgivably, Sucuri places the firewall function as a premium-only feature. That’s seriously bad form as far as we’re concerned.

iThemes Security vs All in One WP Security

All in One WP Security is the other big name in WordPress security and does a very similar job as these others. It’s a comprehensive suite of features that split them into Basic, Intermediate and Advanced. While it covers a lot, the dashboard isn’t as clear or as concise as it could be. Plus, anytime you put ‘Advanced’ on a feature, it automatically puts some users off.

Wrapping Up

Overall we think iThemes Security is a superb security plugin for WordPress users of all kinds. Hobbyist users can protect their site at no cost, small businesses or more owners of more serious websites have the option for superior protection at a relatively low cost. The interface is easy to get to grips with, most of the heavy lifting is done automatically and further tweaking is completely optional.

We rarely advocate paying for premium services with WordPress plugins as they are usually unnecessary, although of course there are plenty of stuff which we are actually happy to pay for.

This is one of those exceptions.

The ability to add malware scanning, two-factor authentication and reCAPTCHA to a website is too important to miss. None of which is available quite so readily, or so easy to use as within this plugin. Two-factor authentication is worth the price alone as you immediately elevate your website security into the 99 percentile. If you want to protect your website as best you can, it’s a no-brainer.

Rating iThemes Security

We would score iThemes Security 4.5 out of 5. It is almost perfect and certainly the only security plugin you would ever need for WordPress. Were it not for those minor niggles, it could get a perfect score, but where’s the fun in that? Perfect scores mean nothing to strive for and when the thing being striven for benefits us as users, it makes sense to keep the developers on their toes!