iThemes Security Review 2024: Hardening WordPress Security

Need to protect your WordPress site from hackers? Keep your site locked down and secure with the fully-featured iThemes Security plugin. In our iThemes Security review, you’ll find out how it protects your site from all kinds of security threats, from brute force login attempts to troublesome bots and vulnerabilities.

iThemes Security Review

Why Do You Need a Security Plugin?

It’s true that WordPress is a pretty secure CMS right out of the box. It gets frequent updates to fix any bugs and plug any security holes that arise.

But, it’s also one of the most targeted content marketing systems by hackers because of its massive popularity.

Despite their best efforts to keep their sites safe, most users are not security experts. They may not be aware of security best practices, and unintentionally introduce vulnerabilities through their actions (or lack of action).

Every site is vulnerable. Hackers target all varieties of websites, not just to steal data, but also to spread malicious code to your site’s visitors.

And, if your site does get hacked, it can be a huge blow that’s difficult to recover from. Not only do you have to fix your hacked site, but you also have to repair the damage caused to your reputation. Your users may have trouble trusting your site in the future.

About iThemes Security

iThemes Security is the best WordPress security plugin created by the security experts at iThemes. The plugin helps you secure and protect your WordPress site from all security threats and provides you with peace of mind. It’s simple and user-friendly; you can use it easily even if you’re a beginner.

The plugin works to fix common security issues and protects your site from hacks, malware, and breaches. It adds an extra layer of protection to your WordPress site so it becomes impossible for online villains to break your site.

The major features of the plugin are brute force protection, file change detection, 404 detection, strong password enforcement, and database backups. Moreover, there are many more brilliant security features in the plugin. Above all, instant email notifications after threat detection help you fix issues quickly.

Check out our article on the best WordPress security plugins.

How iThemes Security Keeps Your Site Secure

iThemes Security has over 30 ways to keep your site safe and secure from hackers, including:

  • Ban the IP addresses of known attackers from logging into your site
  • Lock out users after too many bad login attempts (similar to Login LockDown)
  • Scan your site to detect malware and other suspicious code
  • Enforce strong passwords for all accounts
  • Force SSL for your dashboard or any page or post, as long as your server supports it
  • Monitor your files for any unauthorized changes
  • Receive email notifications of any suspicious activity on your site
  • Obscures and hides important system information about your WordPress installation
  • …and more

Also, check out: How to perform a security audit to help you keep an eye on your site.

Lock Down Your Site with iThemes Security Pro

The Pro version of iThemes provides more advanced features and automation to save you time and keep your site even more secure, including:

  • 2-Factor Authentication: Set up a mobile app (such as Google Authenticator or Authy) so only you can log in with your smartphone
  • Malware Scan Scheduling: Automatically scan your site for any suspicious code every day
  • Password Expirations: Force users to create new passwords after a period of time of your choosing
  • Import and Export Security Settings: Quickly set up your other WordPress sites with the same settings
  • Customize Login URL: Prevent people from trying to login to your site by customizing your dashboard login URL

How to Set Up iThemes Security On Your Site

Important: Before installing the iThemes Security plugin and activating any of its security features, be sure to make a complete backup of your site. This is because the plugin makes changes to your database and site files which, on rare occasions, can cause problems with your site.

After installing and activating the plugin, you’ll see a notification to activate iThemes Brute Force Network Protection, which is free. This connects you to the iThemes network, so known brute force attackers already in their database will be automatically blocked from logging in to your site.

iThemes Security Review - activate brute force api

Just fill out your email address to get the free API key.

Now, you can navigate to Security » Settings to choose which security options you’d like to enable.

Looking at the settings screen can be a bit overwhelming with all the options available:

iThemes Security Review - settings

But, you’ll notice the recommended options are automatically shown, while more advanced options are hidden.

Each item has a short description of what it does. You can pick and choose which ones you’d like to enable and configure.

The features with an Enable button are easy to set up: just click the button, and it’s set.

The features with a Configure Settings button may require you to review settings or fill out a few options to get started. For example, if you click on Banned Users, you can manually enter specific IP addresses to ban:

iThemes Security Review - banned users

You can also navigate to Security » Security Check to scan your site.

iThemes Security Review - scan your site

Support and Documentation

The explanations provided within the plugin dashboard make it clear what each option does. The FAQ on WordPress.org addresses the most common issues and steps you can take to fix the problem. Ther’re also more help articles available on the official iThemes support site.

For the free version of the plugin, community support is available on the WordPress.org support forums, where users are active in helping each other out. Most support threads are resolved quickly.

iThemes Security Pro users have access to official support from the developers.

Pricing for iThemes Security

iThemes Security features 3 different pricing plans called Basic, Plus, and Agency. You can choose a plan depending on the number of sites you want to use iThemes Security on.

ithemes security pricing

Basic is the starting plan that costs $99 per year and supports 1 WordPress site. If you’re managing just 1 website, this is the ideal plan for you.

If you have up to 5 sites, check out the Plus plan at $199. It’s cool for medium-scale entrepreneurs and freelancers.

For up to 10 sites, there’s an Agency plan at $299.

All plans include 1 year of ticketed support and 1 year of plugin updatess. iThemes Sync helps you manage multiple WordPress sites from one dashboard including one-click WordPress updates, uptime monitoring, WordPress theme and plugin manager, etc.

iThemes Security vs. WordFence Security

Searching for the best security plugin for your website?

You may have heard about WordFence Security, another popular free security plugin.

After testing both plugins, we found that, while WordFence Security may be a good basic security plugin, it puts significant load on your server and has a clunky user interface. (See our full WordFence Security review for more details.)

iThemes Security does have some features which may slow down your site, such as the File Change Detection features, but overall works better. Keep in mind: anything that continually scans your files will take up resources.

However, because iThemes Security is so customizable, you can pick and choose which features to enable. You can easily avoid the ones that may slow down your site, or only run them during low traffic periods.

If you’re looking for more alternatives, check out Sucuri. We have a complete review that will help you decide: Is Sucuri right for you?.

You should also read our the ultimate WordPress security guide for more details.

Our Verdict

We believe all WordPress websites benefit from installing a security plugin. The only question is which one is best for your site.

iThemes Security is one of the most popular and highly rated security plugins in the WordPress.org directory.

We found iThemes Security plugin easy to use, even if you’re not familiar with security jargon or best practices. It clearly explains each feature on your dashboard. While there’re a lot of options, they’re presented in a manner that’s not too overwhelming.

We give iThemes Security 4 out of 5 stars. Here’s the breakdown of our review scores:

Rating Star FullRating Star FullRating Star FullRating Star FullRating Star Empty   4.0 / 5.0
Rating Star FullRating Star FullRating Star FullRating Star FullRating Star Full   5.0 / 5.0
Rating Star FullRating Star FullRating Star FullRating Star FullRating Star Full   5.0 / 5.0
Rating Star FullRating Star FullRating Star FullRating Star FullRating Star Empty   4.0 / 5.0
Ease of Use
Rating Star FullRating Star FullRating Star FullRating Star FullRating Star Empty   4.0 / 5.0
Rating Star FullRating Star FullRating Star FullRating Star FullRating Star Empty   4.0 / 5.0
Get iThemes Security Now »

Comments   Leave a Reply

  1. Julian Coates July 26, 2019 at 4:31 pm

    Just wondering, I have Wordfence installed on 1 site and it has just noticed a few abandoned plugins that need to be removed. I have iThemes security on most other sites and I don’t think it spotted those plugins. Does iThemes security detect and alert about abandoned or otherwise dodgy plugins?

    1. Hope you realise, when you have many WP websites, let’s say 100, Wordfence would cost you a kidney… And of course as a developer your should keep track of you plugins yourself and message any client that could be vulnerable… But hey, what am I saying, many developers don’t even tell the client they have to update and maintain their WP and I am dreaming about protecting the old clients. Yea, many developers should get a new job because they do their job so badly…

  2. The support from this company is bad. They waste time sending generic emails that do not solve the issue. The condensing manner in the way they respond is alarming.

  3. ithemes seem to have good plugins, but very bad support – they take over a week to reply. when their hosting has an issue or you are stuck restoring a site for backup – a week or so offline is a long time to wait.

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

WordPress Launch Checklist

The Ultimate WordPress Launch Checklist

We've compiled all the essential checklist items for your next WordPress website launch into one handy ebook.
Yes, Send Me the Free eBook!