iThemes Security Review: Is It Worth Installing on Your WordPress Site?
by
7-layers of Security for Your WordPress Site
Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.
iThemes Security is a security plugin for WordPress that offers a range of features designed to protect sites from various types of security threats. But is it worth installing on your website?
I will provide an in-depth review of iThemes Security, assessing its effectiveness, ease of use, compatibility with other WordPress plugins, and whether it’s worth the cost. By the end of this article, you should have a better understanding of whether iThemes Security is the right choice for your website’s security needs.
TL;DR: Installing iThemes is pretty much the same as having zero security. In fact, I would argue it is actually worse, because it can lock you out altogether. So, if youāre looking for a security plugin that will actually protect your site, MalCare is definitely the way to go.
iThemes might look like a security plugin, but it’s missing the three most important features: scanner, cleaner, and firewall. Don’t be fooled by all the ‘half-measures; they’re just for show.Ā
For example, their stated approach is to block attacks before they happen, which is to be vigilant against vulnerabilities on the site, but they actually donāt do anything to caution a user. Barring sending them digest emails with vulnerabilities found each week.
Somewhere in this funhouse of a security plugin, there are a few minor security features that are both useful and work.
And then, to add insult to injury, they use another security plugin to secure their own site. Take a minute to process the fact that a security plugin site isn’t using their own product.
Critical security features and iThemes
If you’re looking for a security plugin, there are certain features that you can’t do without: malware scanner, malware cleaner and firewall. These should be top of your list when deciding if the plugin is a good fit.
These features are non-negotiable, and they should be the most important points of any review. However iThemes has indicated in various places on their site that these exact features are extraneous to WordPress security. I strongly disagree.
Malware scanner
Letās start with the basics. Does it scan for malware? No. It checks to see if Google has blacklisted your site. Youāll see this information in the raw data section of the scan results.Ā
While Google is conducting a malware scan on your site, iThemes isnāt. iThemes is helping you figure out if your site has landed on the Google Transparency Report, colloquially called the Google blacklist. You absolutely do not need iThemes to run this scan for you. You can go to Googleās site and get the info yourself in literal seconds.Ā
⚠️ Most malware scanners incorporate blacklist scanning as a part of their scan, but also scan for actual malware, as is their mandate. Not iThemes though.
Considering the scanner doesnāt scan for malware, automated scans are a moot point. However, it is important to note that a good security plugin should scan for malware automatically and regularly.
There is also a āView Logsā section which shows the events that have taken place previously.
Malware removal
iThemes wasnāt detecting malware and it stands to reason that they would not be able to remove the malware. So, it wasnāt a complete shock that they donāt offer any kind of removal: automatic, manual or magical.
Firewall
Looks like iThemes doesn’t have a firewall, but they claim to allow IP blacklisting. Too bad it doesn’t really work. The bot protection feature is pretty weak too, and all it does is prevent search engine bots from indexing your site. The one thing it does do, it does so badly, it is detrimental to your site.
You can ban IPs and user-agents, or use a pre-populated ban list from hackrepair.com. But these commands can get tricky because they’re managing them in the .htaccess or nginx.conf file, so it’s not ideal. These are server configuration files and are incredibly powerful. However their intended use is to customize settings on a site-specific basis. One of these things is IP whitelisting or blacklisting, but those commands can get very unwieldy and difficult to manage in a configuration file.
The firewall, therefore, should be elsewhere.
You can also enter IP addresses in an exception list, but that’s of limited use as device IPs are always changing. Overall, not impressed.
Secondary security features
It looks like iThemes can’t do the important security actions very well. But what about tasks like brute force protection and activity logs?Ā
Login protection
iThemes is big on brute force protection, but is abysmal at it. Who’d have thought?
To test this feature, I set up the plugin to lock us out of my account after 10 attempts with the wrong password or username. I ran this test on two different types of sites. On a normal site, I was locked out after 10 attempts, yet on the hacked test site, I got up to 100 attempts and wasnāt blocked. The blocked attempts were logged as network brute force attacks, while the allowed ones were local brute force attacks.
I even tried manually brute forcing the normal site, but despite the IP being removed from the no-ban list, I still wasnāt blocked. It should have locked me out for 15 minutes, according to the configurations. But no luck there.
It’s interesting to note that any mistaken login is categorized as a brute force. iThemes’ brute force protection feature is pretty temperamental and unpredictable.
Vulnerability detection
If you’re sensing a pattern, you’ll probably guess that iThemes’ claims of detecting vulnerable plugins is bogus. I had several installed on our sites and the scan didn’t detect a single one.Ā
So how does it warn you of vulnerabilities on your site? iThemes sends you an occasional email with a list of new vulnerabilities detected in plugins and themes overall, so you have to figure out which ones are on your site and update them. You can unsubscribe from the email and completely miss out on any vulnerabilities. This isn’t a proactive approach at all and the onus is on you to identify the vulnerabilities on your site.
It’s even more ridiculous that they have a version management feature that’s expressly designed to update out-of-date plugins and themes, but they can’t seem to add which ones have vulnerabilities on the dashboard.
Two-factor authentication
Two-factor authentication on iThemes works exactly as advertised. You can set up two-factor authentication with multiple methods, including mobile app, email, and backup codes.
Additionally, it is possible to set 2FA based on user roles, as well as separate application passwords for REST API and XML-RPC which cannot be used for traditional logins. This setting can be found in the user profile, and can be set from there.
However, due to security concerns, XML-RPC is usually disabled, limiting the utility of these separate passwords.
Activity log
The user activity log is enabled for admins, but unfortunately not all events are logged accurately, so it’s pretty much useless.Ā
Hardening features
Installing and configuring iThemes
So far, I haven’t had much luck with the security features. But what about usability; is it easy to install and configure?
Installation
Installing the free version is very easy, although there is a lengthy and ultimately unnecessary setup process. For the pro version you need to sign up for a license and download the plugin from their site.
Ease of use
iThemes is really confusing to use. The technical jargon and complex settings make it tough for everyday users to understand. It also doesn’t seem to do what it claims. A thumbs down for usability.
Notifications and alerts
No alerts at all. I am all for avoiding excessive alerts, but with iThemes no matter what settings you try and change, you won’t get any. Even if you want notifications, you won’t get them.
User management
Sure, you can set security settings based on user roles, but many of them are redundant. Strong passwords, for example, should be a given for all users. There are a plethora of options, which look impressive at first glance, but realistically, you don’t need to go into granular detail. Because, if one user-level account is hacked, the hackers can potentially escalate their privileges to admin level. Bottom line is that this feature isn’t as helpful as it seems.
Other factors to consider
iThemes is not much of a security plugin. But, beyond security, there are a few other factors to consider when choosing iThemes. Here, I will talk about the plugin’s impact on the server and if the support is good.
Impact on server resources
When it comes to server resources, iThemes gets a perfect score. There’s no impact at all: it’s so light that it’s almost like the plugin isn’t even there or doing anything. That tracks.
Help and support
As for help and support, I didn’t test it out for myself. However, looking through the reviews on the WordPress repository indicates that it’s not great.
Pricing
The pricing for iThemes recently changed, and it doesn’t really make sense. Previously, they had a top tier plan for unlimited sites. Now, the plans range from $99 for 1 site to $299 for 10 sites. Whether old pricing or new, iThemes is definitely a waste of money.
What are the best alternatives to iThemes?
Since Iāve excoriated iThemes in this review, you need options. Which are the best plugins for WordPress security? Here are the top picks:
How to choose a security plugin for WordPress?
Picking the perfect security plugin for your website can be a challenge. With so many solutions out there, it can be difficult to know which one is the right fit for your needs. In this section, I’ll go over the key features you should consider when deciding on a security plugin, including scanning tools, malware protection tools, firewalls, and more.
Crucial security features
Other security features
Potential problems of security plugins
Final thoughts
iThemes is not even worth the little energy it takes to install. It has a poor malware scanner, no malware removal tools, and no firewall. You’re better off skipping it and looking at more comprehensive security solutions like MalCare.
FAQs
What are the features of iThemes security?
They claim to have a lot of features but itās all bells and whistles. They claim to have a malware scanner but theyāre just checking to see if your site was blacklisted. They say they have an option to block IPās but it doesnāt really work. They have a pretty useless login protection, an incomplete activity log, bogus vulnerability detection and barely useful hardening features. The only security feature that works is two-factor authentication.
What is the difference between Wordfence security and iThemes security?
Wordfence is the best free security plugin and iThemes is the worst. Wordfence has the most updated firewall, a mostly effective scanner and some automated malware removal options. iThemes doesnāt actually identify the malware on your site, doesnāt have a malware removal function and no firewall.
Related article: iThemes security vs Wordfence
How do I reset my iThemes security?
To reset the password, go to the iThemes Member Panel Login page. There is a section to reset the password. Add the username or email that is associated with the account. You will then receive an email and a link to reset the password that is valid for 30 minutes.
How do I cancel my iThemes subscription?
To cancel your iThemes subscription, you will have to reach out to their sales team. Email them at sales@ithemes.com
Share it:
You may also like
10 Ways to Set Up WordPress .htaccess Security
Youāve already heard about hackers targeting vulnerable websites and wondered if yours might be next. You want to lock down your site and keep it safe, but you’re not sure…
What is WordPress Ransomware?
WordPress ransomware can shut down your site fast. Ransomware is a big problem. Experts say it will cost people $265 billion a year by 2031. In 2024, a report showed…
What is WordPress .htaccess Malware?
Is your WordPress site suddenly redirecting users to sketchy URLs? Or maybe your site is now crawling at a snail’s pace? Is it throwing up bizarre pop-ups? Sure, these could…
How can we help you?
If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.
My site is hacked – Help me clean it
Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.
Secure my WordPress Site from hackers
MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.