At first glance, iThemes Security looks like a great and affordable security plugin for your WordPress websites. Especially if you consider that you can protect unlimited websites for just $199.
Sucuri, on the other hand, is one of the most popular WordPress security plugins available. It packs a punch with a scanner and a firewall, and offers malware removal too. So already in this head-to-head, it has stolen a march on iThemes.
However, it boils down to which security plugin actually provides the best protection from hackers and malware. We tested 5 top security plugins for WordPress on 3 websites. The websites were chock full of malware and vulnerabilities, and we put the plugins through their paces. Read on to see the results of our tests, and find out which plugin will really protect your WordPress website.
VERDICT iThemes security vs Sucuri: iThemes got knocked out of the race altogether. In this contest, Sucuri was undoubtedly the winner. Having said that, we still wouldn’t trust Sucuri with protecting our website. Full details of our tests below.
We created 3 WordPress websites to test the security plugins. One was an ordinary blog as a test control. Next, we installed 3 outdated plugins with published vulnerabilities on a second website. Lastly, we stuffed a third website full of malware and backdoors, both in the files and database. We counted on the last website to sort the wheat from the chaff. And boy, did it.
Each plugin was put through its paces for 45 days. We tested the scanners, the cleaners, the firewalls, brute force protection—the works. At the end of it, the conclusion was unambiguous, MalCare won on all counts.
Our question for this article series was simple: which security plugin is guaranteed to protect WordPress websites from hackers? The answer is unequivocal: MalCare.
Summary of iThemes Security vs Sucuri comparison
iThemes Security is the placebo of WordPress security plugins. You think your website is safe from hackers, but all that’s actually protecting it is wishful thinking and positive vibes. Sucuri is undoubtedly better, but better is a relative term after all. It is not a great security plugin.
iThemes Security in a nutshell
The bottom line is that iThemes doesn’t protect your website. We strongly advise skipping iThemes altogether if you are considering it for WordPress security. And if you have it installed already, please scan your website immediately. Your website has no security.
Our first impressions of iThemes were actually favourable. The website talks a great game, and instills confidence because of the authoritative way in which they speak about WordPress security. The only flaw we could see was that you couldn’t use the plugin to clean malware. That’s not ideal, but it still could work as a scanner.
Or so we thought.
The iThemes scanner doesn’t detect malware. At all. We would hazard a guess that it doesn’t even scan files and data, because the scan finishes in seconds. What the iThemes ‘scanner’ does do is check Google’s Transparency Report to see if your website is on that list. We don’t need a security plugin to do that. We went back to check the website, and were stunned to note that the features don’t explicitly say scan for malware. It just says that malware detection is one of the key steps in WordPress security. That’s doublespeak, if we ever saw it.
We were tempted to write off iThemes tests as useless, but continued on in the interest of fairness.
The plugin does have a solid two-factor authentication feature, which you can enable on your login page. It also has some decent hardening features like blocking PHP execution in folders. Having said that, brute force login protection only works some of the time. Another black mark against the plugin.
Our takeaway from using iThemes is that the only features of any security value are the two-factor authentication and the easy implementation of reCAPTCHA on wp-login. These two features do not warrant a $199 bill however, because there are better security plugins that will offer the same features, in addition to some actual security.
Testing iThemes was a terrible experience because we cannot imagine the number of websites that believe that they are being protected by non-existent security. In fact, iThemes users, you should scan your website right now.
Sucuri in a nutshell
Sucuri has a decent firewall and great malware removal services, but failed spectacularly as a malware scanner. If you don’t know your website has malware, there is no way to get rid of it. This is a non-negotiable part of a security plugin.
When we started testing Sucuri, we expected a great deal from it. It is one of the most popular security plugins for WordPress, and we were stunned to see that the scanner failed to detect any malware on our hacked test site. We will go into more detail in a later section, but this set the tone for our entire testing process.
On top of the failure, the scan itself takes a long time to complete and uses up our server resources to do it. Sucuri themselves discourage too many scans because of the impact on the website’s performance. It is an awful trade-off to have between performance and security, and just shouldn’t be the case.
Moving on to the firewall and malware removal services, Sucuri did well. The firewall was very difficult to configure, and took us an inordinate amount of time to do so. But it blocked out the attacks we tried, and we weren’t able to exploit any vulnerabilities.
The malware removal service was the highlight of our testing experience though. Even though the scanner gave our hacked website a clean bill of health, we knew it was full of malware. First of all, we put the malware there, and secondly MalCare scans confirmed this diagnosis. The Sucuri team removed every trace of malware from our site, and it was squeaky clean as a result. Fantastic! The cherry on this cake was that you can have unlimited malware removal requests as part of your plan, which is a great deal.
Apart from the firewall, the settings are very obscure. We found ourselves puzzling over a lot of the jargon used, and that’s with expertise in WordPress security. The interface is not user-friendly, and we’re sure that many people will find it unnecessarily alarming. Minus point for Sucuri there.
All in all, we don’t think Sucuri is the best security solution for a WordPress website. That honour goes to MalCare, because of a scanner that works every single time. MalCare also gets bonus points not making us feel obtuse.
How to choose the right security plugin for your WordPress website
Security for your WordPress website is non-negotiable. Malware can cause countless losses for businesses: lost revenue, lawsuits, cleanup costs, impact on branding, loss of organic traffic and much more. Investing in the right plugin will save you from hackers and malware, and the problems that malware leaves in its wake.
The question is though: how do you choose an effective security plugin for your website?
When we set up our tests, there were several factors to consider: security, of course, but also ease of use and value for money too. However, we soon realised that all factors apart from security became meaningless, because how effective a plugin is at security should be the only consideration.
So here are the factors to consider when selecting a security plugin.
- Essential security features
- Malware scanning
- Malware cleaning
- Good-to-have security features
- Vulnerability detection
- Brute force login protection
- Activity log
- Two-factor authentication
- Potential problems
- Impact on server resources
As you can see from the list, only 3 factors are completely essential. MalCare aces in all 3: scanning and cleaning malware that other plugins are guaranteed to miss, and protecting your website from malicious traffic with a powerful firewall. Moreover, MalCare does it better than any other security plugin currently available.
iThemes Security vs Sucuri: Head-to-head comparison of features
The way we have laid out this comparison is to take on the most essential features first, and then to discuss the other observations that cropped up during testing. Quite often, we saw features and settings that did next to nothing (we’re talking about iThemes) and yet painted an elaborate illusion of security.
Cutting through the chaff to get to the wheat wasn’t easy, but we’re going to present all our data as clearly and fairly as possible.
If you want to skip this teardown, we recommend installing MalCare.
Sucuri’s scanners didn’t detect any of the malware on our website. Judging by how fast it finished the scan, iThemes didn’t even scan our website for malware at all.
Sucuri’s free and paid versions both have scanners, so we were interested to see whether it performs differently. The free version is powered by Sucuri SiteCheck, an online utility that scans the publicly visible parts of your website for malware. Of course, this has limitations, so a clean chit from SiteCheck is not a guarantee for a malware-free website.
The paid plan includes a server-level scanner that you have to install onto your web server. Either you can do this manually, or input your FTP details into your Sucuri dashboard to install it automatically. It was a relatively painless process.
The scanner is set to run every day, but you can scan on demand—to an extent. Additional scan requests are put into a queue and then executed. Sucuri warns against using too many scans because scans use up server resources.
That gave us pause, because we then realised that Sucuri uses our website’s resources to run scans. With our test sites, the drain wasn’t too severe because the sites are small and there is no external traffic. However, we definitely saw a blip in our CPU usage. More on that in a later section.
The pro version also didn’t detect any malware on our hacked website. This was surprising, because our MalCare scan results clearly pinpointed the malware. So we raised a manual removal request. Once the request was handled by Sucuri’s team, the site showed up clean on MalCare. But that’s when the Sucuri scanner flagged malware on the website. It was very strange.
Luckily, there were no conundrums with the iThemes scanner. It doesn’t scan for malware, pure and simple. The iThemes scanner merely checks if your website is on Google’s blacklist. That’s it. We were unsurprised to see that our sites were not in fact on the blacklist, considering they are not indexed.
Malware cleaning is not on iThemes feature list, so obviously can’t clean malware. Sucuri has unlimited malware removal services as part of their paid plans. Depending on your plan, your website will get cleaned in anywhere between 6 to 30 hours.
Even though Sucuri’s scan results said that our website didn’t have malware, we obviously knew that wasn’t the case. There was malware everywhere: in the files and in the database. We also had a bunch of backdoors in there for good measure. MalCare scanners confirmed that our test sites were indeed infested with malware.
So we raised a malware removal request with Sucuri, indicating clearly that we suspect that there is malware on the site. To raise a request, you need to fill out a form and provide FTP details for cleaning. And then wait for the results.
Side note: There was an interesting dropdown in the removal request form which lists out potential symptoms you may be seeing. Also, to our amusement, you had to indicate your level of technical proficiency, so we selected: “No proficiency, please explain everything clearly.”
Credit to Sucuri, their team removed all the malware from our site. Also, even though our plan terms said we could expect a resolution in 30 hours, we heard back in less than 10. So that was a huge thumbs up for Sucuri’s malware removal service.
We confirmed with MalCare that all the malware was removed, and then were surprised to see that Sucuri’s scanner now flagged the site as infected—after their team had cleaned in. That was weird.
On the other hand, iThemes can’t clean malware, so there was nothing to test. Thankfully, they don’t claim to do so on their website.
Frankly, malware cleaning is the toughest part of WordPress security, and often the most pricey aspect. Sucuri’s paid plans have unlimited cleanups, which is terrific because if vulnerabilities are not addressed, malware can reoccur. If we had a fault to find with the cleaning service it would be that you need to wait a while for resolution. In the case of malware, we’ve seen infections grow exponentially in short spans of time, so this is a cause for concern.
With MalCare, we could use the auto-clean function to get rid of malware in minutes. While we were waiting for Sucuri to get back to us, we realised the immense value that a quick cleanup has for a business-critical website.
Sucuri’s firewall works, and keeps our most common attacks. iThemes doesn’t have a firewall.
A firewall is a critical component in website security, because they keep out malicious traffic and prevent exploits. By this point in the article, you wouldn’t be surprised to hear that iThemes doesn’t have a firewall. Why would it? It fails in every other respect as a security plugin.
Sucuri, on the other hand, protected our website from wordpress attacks. We tested it against vulnerabilities like unrestricted file uploads, XSS, and SQL injection. The firewall blocked all our attempts to exploit these vulnerabilities and upload malware to the website. We weren’t able to test more complex attacks, in all transparency.
Therefore Sucuri’s firewall works, but we also have to mention how frustrating it was to configure the firewall. The way the firewall works is that it acts like a layer between incoming traffic and your website. Therefore all the traffic first hits Sucuri’s firewall and is then redirected to your website.
As you can imagine, this takes some configuration. The domain you use for your website has to point to Sucuri first, the traffic is analysed, and then the allowed traffic is sent forward to your website. Which is great, but it is a pain to set up the firewall if you don’t have expertise with nameservers and DNS config.
Overall, it is vastly better to have a security solution that works out of the box. No complex configuration to protect our website. You know, like the kind you get with MalCare.
Sucuri detected most of the vulnerabilities on our website, although not all of them. iThemes didn’t find any.
After we enabled the server side scanner, Sucuri detected that we had a few vulnerable plugins installed on the website. It didn’t detect them all, and the recommendation was simply to update them.
In addition, there is a post-hack view on wp-admin that lists out the currently installed plugins and themes, their installed versions and the latest available versions. In the description of this section, Sucuri does mention that vulnerabilities are tied to website security, and it is a good practice to keep everything updated. It is unlikely anyone will land up there on a routine glance through the plugin, so we’re not sure the placement is useful.
As part of the malware removal request, Sucuri also sent us a message to recommend we apply hardening measures and update our (2 out 3) vulnerable plugins. This is part of their post-hack checklist.
iThemes doesn’t flag vulnerabilities. It does however have an exceedingly useless counter on the dashboard, indicating how many updates have been done from the time the plugin has been installed. How this information can be useful, we cannot fathom.
Brute force login protection
Sucuri is supposed to block brute force attacks and alert you, but doesn’t do either. iThemes sometimes does, sometimes doesn’t. Hard to say which is worse.
iThemes logs each incorrect login attempt as a brute force attack, which frankly is terrifying for a user to see. In one case, we genuinely forgot the password.
When we did try brute forcing the login page, we saw uneven results. iThemes blocked the attempts on 1 site but not the other. We tried to figure out what was causing this discrepancy, but the only difference was malware on the website. Since malware usually is a consequence of successful brute force attacks, we don’t think this is the reason. More likely, there appears to be a bug which makes the feature work sporadically. In effect, it is pointless.
Sucuri held out hope for us, because there is a granular set of options for brute force attacks. You can set the number of failed attempts that count as a brute force attack. We set it to a very modest 30 attempts per hour, even though login attacks are usually several 100 attempts per minute.
After seeing all the settings for lockouts, we were a little apprehensive about being locked out of the site. We had turned off MalCare, so that MalCare’s login protection didn’t block the attempt. However, nothing happened. We tried 40+ incorrect logins in 3 minutes, and yet Sucuri didn’t raise an alert. Checked the audit logs and the failed authentication shows up all right. But, no alerts. No lockouts. Nothing.
iThemes has an incomplete activity log feature. Sucuri has a good one, but can be obscure.
Sucuri has a feature called Audit Logs, which tracks all the actions from users, plugins, and themes. The feature works as expected, however one of the settings gave us pause. You need an API key to “prevent attackers from deleting logs”. This basically authorises Sucuri to collect and store data about the website offsite, which is fine, but the language they use is jarring to say the least. More about that in the usability section.
While the logs work like, well, logs, and collect the timestamp, user and action, they can be very obscure. For example, we installed a new plugin which shows up as plugin activated. So far, so good. And there are 7 more entries in the log which show what the installation has affected. But there is little explanation as to what these entries mean. Are these changed files or folders, perhaps? No, we later realised that this particular plugin, which is a gallery plugin, changed the template for posts. That makes sense, but the revelation didn’t come from Sucuri.
An activity log is an important part of your website security toolkit. Hackers take advantage of insufficient logging to attack sites, and so you should hold out for a reliable log that you can trust to share correct information about your website.
Basically, not like the one iThemes has. The activity log here has some useful information, like user activity, version management, site scans and brute force attacks. Nothing about plugins or themes though. There is a separate feature that emails you a file change report every day as well. All in all, the logs are inadequate because they don’t paint an accurate picture of your website.
iThemes has a great two-factor authentication feature that works out of the box. Sucuri doesn’t.
After trashing iThemes in this, and other similar articles in the series, we’re happy to report that this is one of the only security features that actually work on iThemes—and works rather well at that.
The two-factor authentication feature on iThemes is very robust. It has a ton of customisations, and works out of the box without a hassle. The plugin also helps enforce strong passwords, which we strongly advocate for.
Our only concern here is that the iThemes pro version has a ton of settings that removes login tokens for ease of use: passwordless login, trusted devices, magic links, and so on. While these are useful to smooth over the process of logging in, they defeat the purpose of two-factor authentication.
We looked for two-factor authentication when we tested out Sucuri. We found it exists on the Sucuri dashboard. However, we were both amused and bemused by the realisation that two-factor authentication is available for your Sucuri account, not for your WordPress website.
Server resource usage
iThemes will not drain your server resources at all, because it doesn’t do anything. Sucuri will cripple your website performance with its scans.
Interestingly, people don’t often ask us about server resources in the context of security. But ideally, you want your website to be protected and to not slow to a crawl in the process. Sucuri’s scanner will do that to your site.
Sucuri scans claim to use the website’s server resources outright. In fact, they seem to discourage frequent scans for that reason. Frankly, this is terrible. Why should anyone have to choose between performance and reasonable server bills on one side and security on the other? They weren’t kidding though. There was a huge spike in server resources as soon as we installed Sucuri, and then ran a second scan. If on a small site the difference is so noticeable, on a large site it will be considerably more.
Additionally, in General Settings on the dashboard, there is a setting for Data Storage which appears to indicate that Sucuri stores a whole lot of data (logs mostly by the looks of it) on the website itself. This is probably why an API key is necessary, because it is all in the uploads folder by default, which is a publicly accessible folder. There is an option to change the storage to a non-publicly accessible folder, but that should have been the default to begin with.
iThemes won’t drain your server resources. How can it, when it doesn’t do anything?
iThemes doesn’t alert you for anything. Sucuri does, but you need to be careful about what alerts you want to receive. Your inbox could fill up in hours.
Sucuri allows you to set up alerts to be sent to specific people, customise the format of the alerts, and much more. You can also add IP address ranges so that those addresses are not flagged for alerts. Be warned for jargon-filled descriptions though. What is ‘classless inter domain routing’? We didn’t want to know, just wanted to protect the website.
Judging by the granular settings for alerts, Sucuri seems to be acutely aware that they potentially send too many alerts. There is a setting to configure max alerts received in an hour, say up to 5 emails. The problem with this is: suppose the first 5 were false positives, and the 6th one isn’t? There is a disclaimer there—but again—better to have the actual information vs a useless feature. Our takeaway here is that any admin is not going to see the forest for the trees. There is just way too much noise.
Surprisingly, we are still reviewing iThemes, not giving it up for a lost cause. iThemes sent us file change notification reports, database backups, and other confirmations of our settings. We were also subscribed to a daily security digest about our website, and a vulnerability report once a week, presumably so we can check those off against our websites. It was bad enough with one site, with more sites it could get completely out of hand.
Installation, configuration, and usability
iThemes installation was surprisingly hard, because of the confusing configuration options. Sucuri was fairly straightforward, but the configuration options in the plugin were horribly daunting.
iThemes was the first plugin we tested, so it initially appeared to be easy. It also set the bar for the most useless settings. You have to go through a configuration to be able to create a security dashboard. We went through each of the settings, but none of them have a real impact on security, so we set them at random and left it at that.
Sucuri installed without a fuss, and the plugin set up on its own mostly. We did have to create an account with Sucuri to access the paid features. Also, it is worth pointing out that to install the server side scanner, you need to use the Sucuri external dashboard. It is not hard to do if you have FTP details readily available, although we don’t see much point because it didn’t detect any malware.
The iThemes dashboard on your wp-admin is noise. There is no security-related information that is of relevance.
Sucuri’s dashboard and settings are insanely complicated. We spent hours trying to figure out what they mean by the technical terms they use. In some cases, the plugin tells you the recommended setting, so the user is essentially working on blind faith. The only problem is that Sucuri doesn’t inspire blind faith, because their malware scanner doesn’t work!
We wish this plugin was easier to understand. It looks very complicated and seems to do a lot of stuff, but we can’t be sure because some of the things we know to be important, like brute force protection, don’t seem to work.
The firewall and server side scanner have to be enabled separately. It took us over a week to figure out this plugin with 3 websites. We shudder to think what would happen to someone handling more. It is so tedious to set up.
We want to reiterate that the settings are difficult to understand for non-tech users. We did not know there was something called a log analysis software. We also saw interesting messaging for the reverse proxy, where Sucuri helpfully tells us not to worry about this option unless we know what it is. Thanks for the confusion with a side of condescension.
There is a very elaborate whitelist feature on iThemes, which was surprising till we realised that there seem to be an inordinate number of site lockout complaints we’ve seen. There are two problems with this: one is that device IPs change, so whitelisting your IP isn’t as much of a safeguard as you would think it is; and two, we tried everything possible to trigger a lockout. But it didn’t happen.
The file change monitor is another feature that sounds like a good idea, unless you know anything about security. Hackers can change file timestamps, even to the extent of making it look like the file hasn’t been edited for years. Additionally there is a filetype exclusion list for this monitor. Frankly, this shows a lack of understanding of malware. Malware can hide in any file, including .ico files for instance.
iThemes does have a good password management system. You can enforce strong passwords and refuse to allow compromised passwords. It is also possible to set application passwords for XML-RPC if you choose to.
Lastly, iThemes has some hardening features, most of which we don’t recommend at all. The only one which makes sense is to block PHP execution in the uploads folder. This prevents a certain type of malware attack. The others, we recommend ignoring altogether.
Sucuri’s dashboard on wp-admin looks pretty impressive, but right off the bat we saw that the biggest infobox is WordPress integrity. Hopefully this is only for the free version we are currently using, because this is essentially a dressed up version of a file change monitor for WordPress core files.
In some cases, we could see it being useful, considering a lot of malware gets into the core files. Conversely, we can also see that it can be a sinecure because inexperienced people may believe that’s the extent of the malware which is a scary thought. Funnily enough, 2 of the 3 wordpress integrity files it flagged were from MalCare: the emergency connector and the firewall.
Deeper in the settings, there is an integrity diff utility to compare core files and find differences. This might be easier to use than an online diffchecker utility.
There were a considerable number of hardening options: some useful, others not so much. We liked being able to block PHP in the uploads folder, the firewall, and activate automatic secret keys update, which changes wordpress salts.
However, verifying WordPress version, removing WordPress version, avoiding information leakage (removes readme file which WordPress just recreates), and verifying default admin account are all silly features with miniscule security impact. Frankly, the whole security industry has moved on from these tricks.
If you choose to disable the plugin and theme editor, you will find updating tricky. It includes a caveat about some plugins and themes needing access to PHP files in these folders. This is inadequate. Case in point: Sucuri themselves save PHP files in the uploads folder. Do they not want access to their own files from their external dashboard? Or is that an exception to the rule? In which case, the rule seems flexible in ways that are hidden from the user.
We were interested to check out the post-hack feature on the wp-admin dashboard. After cleaning, you want to make sure you do everything to protect your website from future hacks. We liked the idea, until we looked a little further.
You can update secret keys—change wordpress salts—from the dashboard. The only problem with this is that it is in plaintext, visible to every admin logged into wp-admin. If a hacker has an account with admin access, this is ridiculously dangerous. This feature only makes sense if a user has verified that none of the admin accounts are compromised, and then changes the salts. A point which is not mentioned anywhere.
You can reset user passwords. Again, a seemingly good feature until you read the fine print: “Select users from the list in order to change their passwords, terminate their sessions and email them a password reset link. Please be aware that the plugin will change the passwords before sending the emails, meaning that if your web server is unable to send emails, your users will be locked out of the site.”
There is a place to see available plugin and theme updates, which is basic version management. It doesn’t add anything to the existing admin dashboard functionality. However, it may serve to educate people that outdated plugins and themes are connected to security.
What’s missing from iThemes Security and Sucuri
iThemes doesn’t have a firewall, which is a serious lacuna for your WordPress security. Firewalls protect sites from certain types of attacks, and are invaluable if your website has vulnerabilities.
Sucuri’s malware scanner is not adequate. So, even though the malware removal service is great, you have to guess that there is malware on your website because the scanner is not going to flag it.
iThemes Security vs Sucuri: Pricing
Sucuri’s Basic Platform plan at $199.99 a year per site is a good deal for unlimited malware removal services. However, considering it is supposed to have a working scanner as well, that’s all your sub will get for you. iThemes is not worth anything. Just don’t bother.
We’ve made our opinion about iThemes abundantly clear in this article. The only feature worth mentioning in iThemes is the two-factor authentication, which is available on the free plan. We definitely do not recommend the Pro plan.
Sucuri’s pricing is a steal for a malware removal service, but the fly in the ointment is the scanner. If you don’t know you have malware, you can’t submit a request for removal.
Better alternative to iThemes Security and Sucuri: MalCare
Invest in a good security plugin that will scan, clean and protect your website from hackers. Of all the plugins we tested for this series, MalCare stands out as the best option. MalCare trumps iThemes in, well, everything, and scans for malware better than Sucuri.
In fact MalCare’s $99 Basic plan is better than Sucuri’s $199.99 Basic Platform plan, with instant malware removal as well. It also includes unlimited cleanups
The security of your website is of paramount importance. We’ve seen many customers skimp out on a security plugin, only to face devastating losses after a hack. One customer gave up after a point, and decided to rebuild his website from scratch. Malware is expensive, MalCare is not.
Did the article help you make a decision? We’d love to know! Do drop us a line.