Websites get hacked every day. They get crashed by denial-of-service attacks. Malware gets inserted into their files and wreaks havoc.
Before you think this only happens to popular websites, think again. Hundreds of thousands of small websites and blogs have suffered hacking attacks at least once… in many cases, without the owners even knowing about it.
For WordPress websites, security plugins are the main mitigating solutions. They’re not to be taken alone, of course—you usually need a multilayered security approach for it to be anywhere near safe—but these plugins can do a lot of the work needed to protect your site. They should thus be considered very carefully.
The iThemes Security plugin is an example of them. It used to be known as the Better WP Security plugin, so some of you might know it by that name. As you can tell from both its old and new names, it’s essentially a plugin aimed at securing your WordPress website against hacking and other external attacks.
Now, iThemes Security is free. That’s pretty impressive for something that already comes with brute force protection, file change detection, bad user lockout, and online file comparisons. Most free security plugins don’t have these as core features.
However, those who want everything it has to offer in protection will still have to go for its premium version: iThemes Security Pro. This adds further features like user action logging, two-factor authentication, and iThemes Sync integration—something that basically lets you manage site security remotely.
As more instead of less security is generally better, most people serious about protecting their sites will be interested in the premium version. It costs at least $80, though, which for many small website owners or bloggers is still considerable. Then again, losing your site due to a hack attack may be a worse price to pay.
So is iThemes Security Pro the answer to your site protection woes? Read on to find out.
What You Need to Know
First, the differences. The Pro version adds the following features to the free one:
- a dashboard widget
- Google reCAPTCHA integration
- two-factor authentication
- user action logging
- import/export settings
- strong password enforcement based on role
- temporary role privilege escalation
- WP-CLI integration
- multiple 2FA capability
- current file permission display
- iThemes Sync integration
- private ticketed support
The last item there is probably one of the best reasons to get the premium instead of the free version, in fact. Without it, you will likely just end up looking for answers to plugin problems on a forum. With the premium version, you at least have a better chance of getting help for issues from people in the know.
So everything else that the free edition has, the premium one will have too. That includes, among other things, the brute force protection we mentioned earlier. That means that you can set a limit on the number of failed login attempts each user can make, to protect from brute force attacks. It also allows you to whitelist your own IP if you want to make yourself the exception (handy if you suck at remembering passkeys and watching your own activity).
It’s also able to detect file changes. That’s helpful because hackers will typically try to alter files on your site. An email will alert you to that and tell you what’s being meddled with so you can check it out and implement a fix.
Then there’s 404 detection: the plugin lets you set limits on the number of 404 errors an IP can reach in a specific time period.
Next is strong password enforcement, where you set user levels for your site and the password strength requirements for each level.
You can lock out bad users too, and ban ones on a bot blacklist. You can schedule periods where the admin area is entirely inaccessible, hide login and admin URLs for added precaution, and run online file comparisons to help with malicious activity detection. The list goes on.
It should be clear from this that iThemes Security Pro is a highly capable, multi-featured security solution. It’s also multi-tiered in its packages.
You can get it for as little as $80 a year for use on 2 websites with the Blogger option. Those who want it for 10 websites should pay $100 a year for the Freelancer option. The unlimited site package is called Developer, and costs $150.
The company also offers a $247 package called the Plugin Suite, though, that gives you all 20 of its plugins—iThemes Security Pro included—for a year on their Developer plans. All options come with a year of ticketed support, a year of plugin updates, and 10 iThemes Sync sites.
What We Like
1. A lot of features – It really does do a lot to protect your website, so we can’t complain about lack of coverage with this plugin. Considering all it offers, it $80 for the 2-site plan is actually a pretty good deal.
2. Sucuri SiteCheck – This is actually the software behind iThemes Security Pro’s malware scan, and it has scheduling, email notifications, and a 10-point evaluation.
3. Easy setup – Not only does the plugin have a default settings option, but it also lists adjustments and notices in an easy-to-use Security Status overview from the start. That way, you can just go through an itemized list with “Fix It” buttons when dealing with security problems and settings.
4. Good tutorials section – There’s ample documentation on things like getting started and how to use its features.
5. High usability – This is a very user-friendly plugin, with a heavily guided configuration experience and an uncluttered interface. Even beginners will quickly learn how to make sense of it.
What We Don’t Like
1. Like all security plugins, can break your site – This is a given, naturally, but it’s safer to mention it here just to be safe. All security plugins make changes to your site that can break it—depending on various factors—so you really have to make a complete backup before installing it. That means backing up not only your site database but also every file on it using a backup program/plugin.
2. Doesn’t play nice with a few hosting platforms – A lot of VPS or low-RAM shared hosting plans tend to do badly with the plugin, especially if you try to use advanced features like prefix changing and file change detection.
3. Can require you to still edit the htaccess file for some things – This is usually true if you want to properly conceal certain hacker-drawing pages, like the login page.
The Verdict
We like iThemes Security Pro—it’s powerful, reasonably priced considering all it can do, and very user-friendly. That makes it a great security solution for a lot of beginners and small bloggers trying to protect the WordPress sites they’ve set up. That said, it obviously has its limitations.
It’s not going to be a catch-all solution for third-party assaults: there are going to be times when its malware detectors miss something. It won’t be good for all hosting plans too, as noted earlier, and it certainly won’t install perfectly on every site to which it’s applied.
But these things are true of every single security plugin currently being offered. They’re all risks you must face, and you just have to deal with them intelligently. Add a second malware detector, for instance. Find out whether or not your hosting plan has enough RAM for its features (about 1GB is perfect). And most importantly of all, never forget to do a backup.
If those things are taken care of, iThemes Security Pro is as good a protection plan as you can get. It won’t mire you down in complexity, but it will serve you well and won’t skimp. When it works, it does it beautifully, and the sheer smoothness of its user experience gives it great value for a lot of new webmasters.