iThemes Security is a security plugin for WordPress that offers a range of features designed to protect sites from various types of security threats. But is it worth installing on your website?
I will provide an in-depth review of iThemes Security, assessing its effectiveness, ease of use, compatibility with other WordPress plugins, and whether it’s worth the cost. By the end of this article, you should have a better understanding of whether iThemes Security is the right choice for your website’s security needs.
Installing iThemes is pretty much the same as having zero security. In fact, I would argue it is actually worse, because it can lock you out altogether. So, if you’re looking for a security plugin that will actually protect your site, MalCare is definitely the way to go.
iThemes might look like a security plugin, but it’s missing the three most important features. Don’t be fooled by all the ‘half-measures; they’re just for show.
For example, their stated approach is to block attacks before they happen, which is to be vigilant against vulnerabilities on the site, but they actually don’t do anything to caution a user. Barring sending them digest emails with vulnerabilities found each week.
Somewhere in this funhouse of a security plugin, there are a few minor security features that are both useful and work.
And then, to add insult to injury, they use another security plugin to secure their own site. Take a minute to process the fact that a security plugin site isn’t using their own product.
Critical security features and iThemes
If you’re looking for a security plugin, there are certain features that you can’t do without: malware scanner, malware cleaner and firewall. These should be top of your list when deciding if the plugin is a good fit.
These features are non-negotiable, and they should be the most important points of any review. However iThemes has indicated in various places on their site that these exact features are extraneous to WordPress security. I strongly disagree.
Let’s start with the basics. Does it scan for malware? No. It checks to see if Google has blacklisted your site. You’ll see this information in the raw data section of the scan results.
While Google is conducting a malware scan on your site, iThemes isn’t. iThemes is helping you figure out if your site has landed on the Google Transparency Report, colloquially called the Google blacklist. You absolutely do not need iThemes to run this scan for you. You can go to Google’s site and get the info yourself in literal seconds.
Considering the scanner doesn’t scan for malware, automated scans are a moot point. However, it is important to note that a good security plugin should scan for malware automatically and regularly.
There is also a “View Logs” section which shows the events that have taken place previously.
iThemes wasn’t detecting malware and it stands to reason that they would not be able to remove the malware. So, it wasn’t a complete shock that they don’t offer any kind of removal: automatic, manual or magical.
Looks like iThemes doesn’t have a firewall, but they claim to allow IP blacklisting. Too bad it doesn’t really work. The bot protection feature is pretty weak too, and all it does is prevent search engine bots from indexing your site. The one thing it does do, it does so badly, it is detrimental to your site.
You can ban IPs and user-agents, or use a pre-populated ban list from hackrepair.com. But these commands can get tricky because they’re managing them in the .htaccess or nginx.conf file, so it’s not ideal. These are server configuration files and are incredibly powerful. However their intended use is to customize settings on a site-specific basis. One of these things is IP whitelisting or blacklisting, but those commands can get very unwieldy and difficult to manage in a configuration file.
The firewall, therefore, should be elsewhere.
You can also enter IP addresses in an exception list, but that’s of limited use as device IPs are always changing. Overall, not impressed.
Secondary security features
It looks like iThemes can’t do the important security actions very well. But what about tasks like brute force protection and activity logs?
iThemes is big on brute force protection, but is abysmal at it. Who’d have thought?
To test this feature, I set up the plugin to lock us out of my account after 10 attempts with the wrong password or username. I ran this test on two different types of sites. On a normal site, I was locked out after 10 attempts, yet on the hacked test site, I got up to 100 attempts and wasn’t blocked. The blocked attempts were logged as network brute force attacks, while the allowed ones were local brute force attacks.
I even tried manually brute forcing the normal site, but despite the IP being removed from the no-ban list, I still wasn’t blocked. It should have locked me out for 15 minutes, according to the configurations. But no luck there.
It’s interesting to note that any mistaken login is categorized as a brute force. iThemes’ brute force protection feature is pretty temperamental and unpredictable.
If you’re sensing a pattern, you’ll probably guess that iThemes’ claims of detecting vulnerable plugins is bogus. I had several installed on our sites and the scan didn’t detect a single one.
So how does it warn you of vulnerabilities on your site? iThemes sends you an occasional email with a list of new vulnerabilities detected in plugins and themes overall, so you have to figure out which ones are on your site and update them. You can unsubscribe from the email and completely miss out on any vulnerabilities. This isn’t a proactive approach at all and the onus is on you to identify the vulnerabilities on your site.
It’s even more ridiculous that they have a version management feature that’s expressly designed to update out-of-date plugins and themes, but they can’t seem to add which ones have vulnerabilities on the dashboard.
Two-factor authentication on iThemes works exactly as advertised. You can set up two-factor authentication with multiple methods, including mobile app, email, and backup codes.
Additionally, it is possible to set 2FA based on user roles, as well as separate application passwords for REST API and XML-RPC which cannot be used for traditional logins. This setting can be found in the user profile, and can be set from there.
However, due to security concerns, XML-RPC is usually disabled, limiting the utility of these separate passwords.
The user activity log is enabled for admins, but unfortunately not all events are logged accurately, so it’s pretty much useless.
- File Monitoring: As it stands, this isn’t a feature you can rely on for security. You can monitor files and folders for unexpected changes, but there are a few problems with this. You need to know which files to monitor and be able to tell good changes from bad changes. Plus, hackers can alter the modification dates of files, so I’m not sure how this feature will handle that.
The file extension exclusion list also includes jpeg and ico, which have been known to carry malware, which isn’t helpful. It also doesn’t detect plugin/theme installations, plugin updates, nor changes to posts and pages.
- Hardening tools: The options in this section. For example, you can change the database prefix, and change your WordPress salts from here, which is nice. You’d usually use the WordPress generator to do that, and then have to change the salts manually in the wp-config file, so this is a handy tool. The ‘Check file permissions’ is also helpful if you don’t know where to look for that info. But you can’t change permissions here and there’s no indication of how to do that. The feature to identify server IPs helps you figure out what your IP is so you can add it to the no-ban list. This is a frill at best, as it can be done elsewhere just as easily.
- Block PHP execution in uploads folder, plugin folders and theme folders: From the description, it looks like iThemes blocks external requests to PHP scripts. It’s useful for one type of hacks, so I recommend using it for the uploads folder. But plugins and themes will definitely have scripts, so it depends on the site whether or not it makes sense to block them. If files aren’t called directly from there, but instead using something like admin-ajax, then it’s fine. But some plugins have scripts that need to be directly accessed, and these will break. It’s difficult for a normal user to determine this.
Installing and configuring iThemes
So far, I haven’t had much luck with the security features. But what about usability; is it easy to install and configure?
Installing the free version is very easy, although there is a lengthy and ultimately unnecessary setup process. For the pro version you need to sign up for a license and download the plugin from their site.
Ease of use
iThemes is really confusing to use. The technical jargon and complex settings make it tough for everyday users to understand. It also doesn’t seem to do what it claims. A thumbs down for usability.
Notifications and alerts
No alerts at all. I am all for avoiding excessive alerts, but with iThemes no matter what settings you try and change, you won’t get any. Even if you want notifications, you won’t get them.
Sure, you can set security settings based on user roles, but many of them are redundant. Strong passwords, for example, should be a given for all users. There are a plethora of options, which look impressive at first glance, but realistically, you don’t need to go into granular detail. Because, if one user-level account is hacked, the hackers can potentially escalate their privileges to admin level. Bottom line is that this feature isn’t as helpful as it seems.
Other factors to consider
iThemes is not much of a security plugin. But, beyond security, there are a few other factors to consider when choosing iThemes. Here, I will talk about the plugin’s impact on the server and if the support is good.
Impact on server resources
When it comes to server resources, iThemes gets a perfect score. There’s no impact at all: it’s so light that it’s almost like the plugin isn’t even there or doing anything. That tracks.
Help and support
As for help and support, I didn’t test it out for myself. However, looking through the reviews on the WordPress repository indicates that it’s not great.
The pricing for iThemes recently changed, and it doesn’t really make sense. Previously, they had a top tier plan for unlimited sites. Now, the plans range from $99 for 1 site to $299 for 10 sites. Whether old pricing or new, iThemes is definitely a waste of money.
What are the best alternatives to iThemes?
Since I’ve excoriated iThemes in this review, you need options. Which are the best plugins for WordPress security? Here are the top picks:
- MalCare: MalCare is the best security plugin out there; the scanner is super accurate, the firewall is reliable, and an automated malware cleaner is very effective. Each plan includes unlimited malware removal by a team of security experts. Apart from two-factor authentication, you’ll find every major and minor WordPress security feature in MalCare. You can’t go wrong with it.
- Wordfence: Wordfence’s free version offers pretty good protection, including a scanner and firewall. The firewall is regularly updated, but the free version lags behind the premium. If malicious content is found, it will require upgrading to a more expensive plan to remove it safely.
- Sucuri: All of Sucuri’s paid plans come with unlimited malware removal. The downside is that the scanner isn’t always accurate, so you’ll need to be aware of any potential malware issues before you can get the removal feature to work. You can also go through our guide on iThemes security vs Sucuri for better comparison.
How to choose a security plugin for WordPress?
Picking the perfect security plugin for your website can be a challenge. With so many solutions out there, it can be difficult to know which one is the right fit for your needs. In this section, I’ll go over the key features you should consider when deciding on a security plugin, including scanning tools, malware protection tools, firewalls, and more.
Crucial security features
- Malware scanning: Trying to stay ahead of the bad guys can feel like a never-ending game of cat and mouse. Thankfully, there are effective ways to automatically detect malware on sites.
However, not all methods that security plugins use to identify malware are equally effective. For example, the signature matching mechanism used by Wordfence compares the code of any suspected malware against a database of known malware signatures. The database has to be regularly updated so that threats are detected. As you can imagine, new malware and zero-day threats aren’t caught. MalCare uses a far more reliable signal matching mechanism, which reviews code to check whether it has malicious intent. This way, even the newest threats are caught by the scanner.
- Malware removal: If your site’s been hit with malware, it can be tricky to get rid of. In some cases, you can delete the malicious files and repair the affected site files. For more complicated cases, though, you may need to enlist the help of an experienced security pro. Many security plugins offer malware removal as a premium feature for their expertise. MalCare is the only one with a reliable automatic malware removal feature, and unlimited cleanup by experts in every plan.
- Firewall: No security setup is complete without a good, reliable firewall. Firewalls act as filters for incoming traffic and help keep malicious code from infiltrating your website. Firewalls should be frequently updated, maintain a comprehensive list of logs, and load before WordPress to be really effective.
Other security features
- Vulnerability detection: Nobody wants to find out their website has been hacked because of a security hole they didn’t know existed. A vulnerability scanner can help you spot any vulnerabilities in your WordPress core, plugins, and themes, so you can patch them up quickly.
- Two-factor authentication: To help keep your user accounts secure, it’s worth considering two-factor authentication (2FA). This adds an extra layer of security by requiring two different methods of authentication before allowing a user to log in. With 2FA, users need both something they know (like a username and password) and something they have (like a phone or security token).
- Login protection: It’s essential to protect your WordPress admin area from brute force attacks. These are automated attempts to break into your account by randomly guessing your username and password. To protect yourself, you should install a plugin with login protection features.
- Activity log: If you want to keep an eye on what’s happening on your website, an activity log is a great tool to have. It’ll help you monitor all the changes happening on your site and identify any security events quickly. This can help you respond to threats quickly and keep your website safe and secure.
Potential problems of security plugins
- Server impact: Security plugins can put a strain on your server resources, making your site slower and less responsive. This is because they conduct malware scans on your site, or use your site’s server resources to power the firewall. Wordfence is the worst offender on this front. On the other hand, MalCare is designed to carry out its scans on its own server, so it won’t use any of your own resources. Try to look for plugins that don’t slow down your website.
iThemes is not even worth the little energy it takes to install. It has a poor malware scanner, no malware removal tools, and no firewall. You’re better off skipping it and looking at more comprehensive security solutions like MalCare.
What are the features of iThemes security?
They claim to have a lot of features but it’s all bells and whistles. They claim to have a malware scanner but they’re just checking to see if your site was blacklisted. They say they have an option to block IP’s but it doesn’t really work. They have a pretty useless login protection, an incomplete activity log, bogus vulnerability detection and barely useful hardening features. The only security feature that works is two-factor authentication.
What is the difference between Wordfence security and iThemes security?
Wordfence is the best free security plugin and iThemes is the worst. Wordfence has the most updated firewall, a mostly effective scanner and some automated malware removal options. iThemes doesn’t actually identify the malware on your site, doesn’t have a malware removal function and no firewall.
Related article: iThemes security vs Wordfence
How do I reset my iThemes security?
To reset the password, go to the iThemes Member Panel Login page. There is a section to reset the password. Add the username or email that is associated with the account. You will then receive an email and a link to reset the password that is valid for 30 minutes.
How do I cancel my iThemes subscription?
To cancel your iThemes subscription, you will have to reach out to their sales team. Email them at firstname.lastname@example.org