WordPress security is a major concern both for rookies and experts. Implementing countermeasures to security threat can be challenging. WordPress has many features that make it a vulnerable target.
If you are concerned about your WordPress site’s security (and you should be worried), you must deploy several layers of security. One of them should be server-side hardening by your hosting provider.
The other measure you can deploy is a Web Application Firewall (WAF) and DDoS mitigation measures provided by services like Cloudflare, Sucuri, etc.
The third option is to use some security plugin that will harden your website from inside. There are many security plugins available such as Wordfence, WPScan, BulletProof Security, All in One WP Security & Firewall, Sucuri, iThemes Security Pro, etc.
This article will review the iThemes Security Pro (there is a free version named iThemes Security) and attempt to find out the features it offers.
So, take your time and read carefully. This is going to be an interesting read. At the end of the review, you will be able to decide whether you want to go ahead with a purchase or not.
Thus, if you are ready, let us begin!
What is iThemes Security Pro?
iThemes Security Pro is a security plugin developed by iThemes, which is a popular name in the WordPress space. iThemes is known for giving some of the most popular premium plugins like Backup Buddy, Restrict Content Pro, List Building Combo, BoomBar, and more.
iThemes Security Pro is one of the most famous security plugins out there with tons of security features that help in hardening a WordPress site. In total, the plugin provides 35 modules with each module having specific function.
They even throw in a malware scanner that scans your sites for malware, website errors, out-of-date software, blocklist status, etc.
What Features Are Offered By iThemes Security Pro?
As I said, iThemes Security Pro offers 35 modules out of which 29 modules are recommend modules and 6 are advanced modules.
Out of these 35 modules, 12 are available only and only for pro users. The remaining 13 are available in the free version (iThemes Security) that you can download from the WordPress plugins repository and use for free.
Let us go through each module and find out what they do.
Ready?
Features Available in Both Free and Pro Versions
#01. Security Check Module
This is the first module you will notice in the dashboard of iThemes Security Pro (you can access the options from Dashboard >> Security >> Settings).
Clicking on the “Show Details” button will open new popup window where you will notice a list of modules that iThemes recommends turning on. If you click on the “Secure Site” button, the plugin will automatically enable the modules and configure them.
#02. Global Setting Module
As the name suggests, you can set a few parameters here and the plugin’s individual modules will respect that. The default settings are quite good. However, you are free to toy around with the settings.
The settings that you should not be fooling around with are clearly documented. So, leave them alone and play with rest. I will still recommend that you leave the default settings unaltered unless you know what you are doing.
#03. Notification Center Module
This is where you will get the opportunity to configure the email notifications that iThemes Security plugin will send to you. Be clever! Incorrect settings can flood your email inbox with hundreds of messages and that can get frustrating quickly.
Play special focus to the Site Lockouts segment. By default, it is enabled, and you will keep receiving hundreds of emails throughout the day. I will recommend turning it off, but if you are okay with so many emails reaching your inbox, you can leave it as is.
Honestly, I do not see a reason why you should enable this option. Simply set the rules for lockouts and forget it. There is a logs segment available where you can check which hosts and IPs have been locked out by the plugin. You do not have to receive emails for that.
#04. User Groups Module
This module will allow you to define the different security roles for different user groups. For instance, Administrator users will have the rights to manage the global settings of iThemes Security. They can also force two-factor authentication, and so on.
Administrators will have maximum control while those belonging to Contributors and Subscribers groups will have the least permissions.
The default settings are perfectly fine, and you should leave them as is. Of course, you can always change the settings depending on how much you trust your team members or organization members.
#05. 404 Detection Module
No, the plugin is not going to detect 404 pages for your website. Instead, it will detect the users who are hitting many 404 error pages in short span of time.
Hackers usually have a tendency of checking out 404 error pages to see if they can find any vulnerability in your website and exploit it to get unauthorized access.
You can configure this module in a way that those hitting too many 404 errors in a short span will be locked out for a certain number of times after which, any further attempts by those users will trigger a permanent ban.
#06. Away Mode Module
This is a fascinating feature. You generally tend to update your website only at certain times. You do not need to keep access to WordPress dashboard throughout the day.
This module will allow you to configure specific times when the access to WordPress dashboard will be allowed. You can work on your website within the specified period, after which the access to dashboard will be automatically revoked.
There are benefits and disadvantages to this feature. The obvious benefits are that you can keep hackers and malicious actors away from your website’s dashboard by limiting the exposure. Also, if you are running some classroom schedule or something similar you can restrict access to the website outside the defined time frame.
As far as disadvantages are concerned, it may so happen that when working on your website within the defined time frame, some unexpected event may drag your attention. If that situation persists for a long beyond the specified time frame, you will lose access to your incomplete work until the next scheduled access time.
So, use it wisely!
#07. Banned Users Module
If you want to ban certain users from accessing your site, you can do so using this module by adding their IP addresses. You can also ban certain user agents.
Here is a problem – people may be using dynamic IP (which is mostly the case). So, when you block a person using his or her IP address, you are blocking a dynamic IP. It will change. The next time the person logs into his or her internet account, the IP will be change.
So, banning an entire IP range is more suitable here. It is difficult to find an IP range. It is better not to attempt anything here. You can just enable the first option called “Enable HackRepair.com’s ban list feature.”
That is all! Leave everything else as is!
#08. Database Backup Module
As the name suggests, it will backup the database of your website. You do not need to enable this option if your hosting provider is already offering you backup services.
For instance, if you are using managed WordPress hosting like Kinsta or Flywheel or Liquid Web (Nexcess), you will already have backup services in place.
#09. File Change Detection Module
I will suggest that you enable this. Security threats are very much real and even the best of the security measures can fail. If someone unauthorized manages to get into your website, he or she will change something.
When something changes, the File Change Detection module will inform that to you comparing your installation with the last checked files instead of comparing your installation with a remote installation thereby taking account of whether the changes were made by you.
#10. File Permissions Module
It will show you the list of directories and files with their respective permission. Only the key directories and files will be shown. You will notice that it will show you the currently set permissions along with the suggested values. You must have the suggested permissions in place with no warnings at all. If you see warnings (as shown in the image below), contact your hosting provider to get things fixed.
#11. Local Brute Force Protection Module
Enabling this module will prevent the hackers from trying unlimited number of password and username combinations to get into your website. This module will place a login limit. Anyone exceeding the set limit will be permanently blocked.
Please enable this module.
#12. Network Brute Force Protection Module
This module will allow you to join a network of sites that reports hackers and malicious people who attempt brute force attacks. By enabling this module, iThemes will completely block those IP addresses that previously attempted to break into other sites.
#13. Password Requirements Module
Yes, enable this! Using this module will enable you to force other users on your website to change their passwords into stronger passwords. You can even make the passwords expire after a certain time, thereby requiring other users to keep changing their passwords at a set interval. 30 to 60 days is perfectly fine.
#14. SSL Module
Leave it disabled because likely your website already has an SSL certificate provided by your web hosting company without any charges. That is perfectly fine.
#15. System Tweaks Module
Unless you know your web hosting sever very well, and you know how to configure it or make changes to it, I will never recommend enabling this option. Leave server management to the hosting company. DO NOT enable this option. It is a very advanced option, and you should tread carefully.
#16. WordPress Salts Module
A SALT key is a secret key (something like a password) that keeps your WordPress site secure by adding an extra security layer. While SALT keys are difficult to guess, if people get access to them, it will mean absolute disaster.
Thus, changing your SALT keys at certain intervals is a good security practice. Enable this.
However, do not forget that the very moment you change the WordPress SALT keys, you will be logged out of WordPress dashboard. You need to login again. Do not worry! Changing SALT keys will not change your username and password.
#17. WordPress Tweaks Module
Be careful! What you do here can break your site. This module will allow you to tweak certain WordPress settings to increase the security. However, there are options for disabling certain features that are often used by many webmasters.
For example, this module will recommend you disable XML-RPC if you are not using plugins and other services that use it. Jetpack for instance, uses XML-RPC. If you disable it, Jetpack will not work.
If you are enabling any feature in this module, make sure that you are clearing the cache of your website and then testing it thoroughly to ensure that nothing is broken. A broken site always creates a bad user experience.
Features Available Only in the Pro Version
#18. Magic Links Module
What if you forget your username and continuously keep trying to login? The plugin will look at it as a brute force attack and lock your username and / or IP. What will you do then?
This is where the Magic Links module comes in handy. It will send you a link to your email that will allow you to bypass the lockout. You can then get into your WordPress and release your IP or username so that you can login normally.
#19. Site Scan Scheduling Module
You can use this module to perform automated scans of your site at set intervals. You do not have to run the scans manually. If the plugin finds something wrong, it will notify you through and email.
#20. Passwordless Login Module
If you enable this module, you will receive a link WordPress login page. That link will allow you to login to your WordPress site without password and / or two-factor authentication. It is quite safe. You can enable it.
#21. Privilege Escalation Module
With this module you can temporarily give additional access to a specific user for a certain amount of time. For example, you may hire a developer who will need admin access to deal with your request or problem in hand. Enable this module only and only when you need it.
#22. reCAPTCHA Module
It is a bot protection module that will prevent a bot from logging into your site or leaving a comment. reCAPTCHA throws a challenge that only a human user can solve.
#23. Setting Import and Export Module
Want to use iThemes Security Pro with the same setting on a different site, or perhaps import the settings from another site (where you have already configured iThemes Security? Enable this option to import or export the setting and make your life simpler.
#24. Security Dashboard Module
This will be a dynamic dashboard with real time view of security activities. Trust me, you do not want this running 24×7! It will eat up your system resources. Do not enable this feature.
#25. Two-Factor Authentication Module
This module will add an extra layer of security to your website by enabling two-factor authentication. You can use a mobile app like Authy or Google Authenticator, or you can use email or backup authentication keys.
Alternative, you can use all three. I will recommend using only and only the mobile app method because it is the most secure option. With email, you will always run into a risk unless you are using an email encryption service.
As far as backup authentication codes are concerned, you may lose them anytime.
#26. User Logging Module
If you enable this module, the plugin will log user actions like logins, content saving, etc. Leave it disabled, because it will increase the log size, thereby putting pressure on your server storage, especially if you allow your site users to create accounts and login.
#27. User Security Check Module
It will show you the security status of all registered users on your website including whether they have two-factor authentication enabled or not, whether they have a strong password or not, etc. Enable this feature to get a bird’s eye view.
#28. Version Management Module
By enabling this feature, you will allow iThemes to automatically update / upgrade WordPress core, themes, and plugins. It will also run checks to find whether an immediate update (if available) will fix vulnerabilities or not.
#29. Trusted Devices Module [in Beta]
With this module enabled, the plugin will identify the devices that users use frequently to log in. If it detects any other device, it will put additional restrictions in place to maintain high security. Since it is in Beta, I will not recommend using this feature.
Highly Advanced Features Available in Both Free and Pro Versions
#30. Admin Users Module
If there is any user that uses the user ID 1 or uses the username ‘admin,’ this module will simply remove the user. DO NOT DO THIS! It can cause severe compatibility issues with other plugins, customizations, and themes.
If you want to try it, use it on a brand-new website with no content understand how it works. If you want to use this feature on a production site, make sure you take full backup of your website (especially the database) before you fool around with this feature.
#31. Change Content Directory Module
Leave it untouched unless you know what you are doing. This module will change the name of the WP-CONTENT directory to something else. If you do that, here is what will happen:
- You cannot revert the changes by disabling this module.
- If your content directory already has images in it, your website will break immediately. You will have to map every image URL all over again.
If you intend to do this, make sure that you are making a full database backup. I will suggest that you go for a full website backup.
I will repeat – DO NOT DO THIS!
#32. Change Database Table Prefix Module
WordPress usually uses wp_ as the prefix. This makes the lives of hackers easy because they already know the important table names of 95% of the WordPress websites.
Changing the prefix to something else like 9xgt3raf_ will make it extremely difficult for hackers.
By using this module, you risk two things:
- You may permanently cause damage to your database. So, backup is important.
- It uses a lot of memory, which can very well exceed the memory allocated for your hosting account.
I will not ask you to NOT use this feature, but keep in mind the issues you may face.
#33. Hide Backend Module
By using this module, you can hide the wp-login page (wp-admin, wp-login.php, admin, and login). This will minimize the automated attacks that often target the login page. However, just hiding the backend will not mean that you will have a free pass to using a weak password.
#34. Server Config Rules Module
When you install iThemes Security Pro plugin, it adds certain configuration rules to the .htaccess file. That file should have “write” permission enabled. If that permission is not available, iThemes cannot write those rules to the configuration file.
In such a case, you must manually add the code. There is no enable or disable feature here. It has certain details available. You can reveal the configuration code, copy it, and manually add it to the configuration file.
#35. Wp-config.php Rules Module
This is yet another extremely advanced feature. iThemes Security Pro will add some rules to the wp-config.php file. So, it should have “write” permission enabled. If that is not granted, you need to manually add the permission to the wp-config.php file.
Okay, now that you are fully aware of the features available in iThemes Security Pro plugin, it is time to go through the pros and cons of the plugin.
Let us investigate the advantages first.
The Advantages of iThemes Security Pro
This fascinating plugin has amazing features, and hence, offers a lot of advantages. Here is what I think are the advantages of this plugin:
Initial Screening:
The plugin will screen every user that comes to your site and tries to access it. This ensures that the plugin will filter out the bad guys depending on their activities.
Easy Setup:
The setup process is quite simple. All modules have clear explanation, allowing anyone with any skill level to configure the plugin with ease. In fact, the basic setup that the plugin performs upon installation is good enough for most of the websites.
Powerful Free Version:
The free version of the plugin is quite powerful with multiple features. Of course, some unique features like two-factor authentication, reCAPTCHA, Passwordless login, etc. are absent in the free version. Those features are also extremely important, making an upgrade a worthwhile investment.
Nearly All-round Protection:
The plugin takes care of almost every aspect of WordPress security, making it a fantastic addition to any website.
Salting:
The SALT key configuration feature helps to protect the logged in users from various threats.
Password Configuration:
The very idea of forcing users to change their passwords after a certain time frame is brilliant. It is a good practice that you should implement. Also, forcing users to use strong passwords is also great!
Straightforward Dashboard:
The dashboard is straightforward. There is no complex navigation and no multipage navigation. Everything is present on a single page, making it easy for users.
Alright, now that you know about the advantages, you should also know about its disadvantages. Let us find out!
The Disadvantages of iThemes Security Pro
The plugin is plagued with various problems. They may not be too visible but taking wrong steps while configuring the plugin will reveal those issues.
The problem is that not everyone is technically sound, and hence, misconfiguration is always a possibility.
Here are the disadvantages of iThemes Security Pro:
It Can Break Your Site:
If you fail to configure the plugin properly, it can easily break your site and make it look ugly. In the worst case, it will make your site inaccessible.
It is a Heavy Plugin:
iThemes Security Pro has many features and configurations, making it a heavy plugin. It does consume a lot of space and it uses a lot of memory. So, if you have limited resources (that is, you are on a shared hosting server with 1 GB or less of memory), I will not recommend using the plugin.
Page Load Speed:
It will slightly slowdown your website and that will reflect in PageSpeed Insights score. Here is a simple example:
Mobile Speed
Desktop Speed:
Before installing the plugin on this website was very well-optimized to give a speed of 100 on both mobile and desktop even with ads running on the site.
After activating the plugin, the score dropped by one (1) point on both mobile and desktop.
Now, I need to optimize the website once again to achieve that perfect score. It will require playing around with JS codes.
Some Protections Missing:
Did you hear about security headers? They are basically some security measures that are present in the header of your website. The most important ones are:
- Strict-Transport-Security
- X-Content-Type-Options
- X-Frame-Options
- X-XSS-Protection
- Content Security Policy.
iThemes Security Pro does not cover any of these. You need to implement them separately.
Talking about these security headers, it is always good to apply them through direct server configuration, wp-config.php file, .htaccess, etc. However, you can use plugins. There are separate plugins available.
Also note that you should avoid applying Content Security Policy because that can break your site. Unless you know your WordPress site inside out and you are fully aware of which scripts and images are loaded from external sources, it is not advisable to apply Content Security Policy.
Also, do not forget that iThemes Security Pro (or its free version) is not going to give you a Web Application Firewall. If you want a WAF, you can look into options like Cloudflare, Wordfence, Sucuri, etc.
Some Hosting Providers Will Not Allow It:
Some hosting providers will simply not allow you to install the plugin. So, make sure that you approach your hosting provider to know whether they will support the plugin or not. Usually, under-powered hosting plans do not do well with this plugin.
Some good hosting providers like Kinsta, WPX, Liquid Web (Nexcess), etc. will allow installing the plugin. In fact, Liquid Web will give you the pro version of the plugin as a part of their hosting plan.
iThemes Security Pro Plugin Pricing
iThemes Security Pro has three different pricing plans and they are:
Blogger Plan: It will cost you $80 a year. With this plan you can protect one website, get security updates for one year, and get support for one year.
Small Business Plan: It will cost you $127 a year. With this plan you can secure 10 websites and get security updates and support for 1 year.
Gold Plan: It will cost you $199 a year. With this plan you can secure unlimited number of websites and get security updates and support for 1 year.
Conclusion
Is iThemes Security a great plugin? Yes, it is! There are numerous features that will force users to enforce good security practices and due diligence. It is meant to thwart off know security threats.
Simply put, the plugin is not bullet-proof. The developers are clear about this. Any security measure you deploy can be broken with more advanced and unknown threats, but letting your website become a victim of the long-known threats is “absolutely foolish.”
iThemes Security Pro might not be able to protect your website from previously unknown threats, but it will, sure as hell, give you protection from known threats.
So, you should not fully depend on iThemes Security Pro alone. Combine it with additional security like DDoS protection, security headers, HTTP/3 protocol, Web Application Firewall, etc. One of the best options you can use is Cloudflare.
Additionally, I will always recommend using a managed WordPress hosting solution (if you are not equipped with the knowledge necessary to handle cloud hosting like Vultr, DigitalOcean, etc.) that proactively defend their servers from threats.
