iThemes Security vs Wordfence: Which Security Plugin Should You Choose?
iThemes Security looks like a great deal at just $199 for unlimited websites, and because of its unbeatable price, it has been a serious contender in the WordPress security plugin race.
In the other corner we have Wordfence, the undisputed heavyweight in this category. Wordfence is known for the feature-heavy free plugin, and their security research and resources. For the premium version, each site will set you back a minimum of $99 a year; which is still a good deal.
Even at this stage, there is no real comparison between the two. However, we did run both through a battery of tests.
In this series, the top 5 security plugins went through gladiator-style battles with malware, attacks, and vulnerabilities. Which one emerged the winner? Read on to find out.
VERDICT iThemes Security vs Wordfence is an unequal competition. Wordfence’s free plugin is orders of magnitude better than iThemes Security’s premium plugin. Wordfence has its downsides, but at least it protects the website to some degree. iThemes, not so much.
In this series, we wanted to test the top WordPress security plugins to find out which one really works. For that, we created 3 websites: One was a simple blog, with a few plugins and themes, as the control. The second website had 3 out-of-date plugins with vulnerabilities. We picked plugins that ranged from popular to obscure, and had a set of vulnerabilities. And finally, we had a website riddled with malware.
3 websites, 5 plugins, 45 days. We tested plugin scanners, cleaners, firewalls, bot protection, firewalls, activity logs, and much more. We accounted for new malware, old malware, file-based malware, database malware, redirect hacks, pharma hacks, SQL injections, brute force attacks, and so much more.
The results were clear: only MalCare was able to scan, clean and protect the test websites. If you are looking for peace of mind with your WordPress security, MalCare is the way to go.
Summary of iThemes Security vs Wordfence comparison
iThemes Security vs Wordfence is a no-brainer: Wordfence all the way.
Let’s consider WordPress security to be a spectrum between two extremes: no protection and a false sense of security on one side, and false positives and dire warnings on the other. iThemes Security gives you a false sense of security, and Wordfence is the one that keeps you in a state of near-constant fear.
In our considered opinion, both are not good options. However, Wordfence has an excellent free version that will protect your website to a large extent, whereas even the premium version of iThemes Security will not do anything to protect your website. Our advice to avoid both extremes, and go for a good security plugin.
iThemes Security in a nutshell
iThemes Security is by far the worst WordPress security plugin we have seen. It has a few good features, like two-factor authentication and strong password support, but that’s it. There is no malware scanner, it cannot clean malware, and there is no point discussing a firewall. In fact, if you use iThemes right now, please scan your website immediately.
Fun fact: iThemes was the first security plugin we tested. The website and the entire setup process gave us the impression that, yes, these guys know what WordPress security is all about. Unfortunately though, none of that know-how seems to have made it into the actual plugin.
iThemes Security is a malware scanner, in effect, because there is no mechanism to clean malware. Nor does the website say that there is a firewall. This is not great, because scanning is one of the pillars of WordPress security but not the only one. However, you can cobble together a mix of various plugins to give you that functionality, if you have a decent scanner in the first place.
Ah, but that was the problem. iThemes is not a malware scanner. It is not a vulnerability scanner. It scans the Google blacklist for your website. You know, the same thing you can do from the Transparency Report page, without needing to install a plugin. The biggest giveaway was that the scan lasted seconds. There is no way a scanner can go through all the website files and folders in literal seconds.
Brute force protection for the login page was patchy and inconsistent, and the activity log was useless. More on that later.
On the plus side, iThemes Security has an excellent two-factor authentication feature. We also liked how easy it was to implement reCAPTCHA on wp-login. And finally, the user password management settings were really granular and detailed. Additionally, there are a few decent WordPress hardening features, like blocking PHP execution in folders.
Overall, testing iThemes Security was a revelatory experience. We take security very seriously, and we were shocked to see how clever verbiage and a misleading feature set can hoodwink admin into thinking their sites are protected. In fact, we strongly recommend any iThemes users to rethink their security altogether and scan their website immediately.
Wordfence in a nutshell
Wordfence is the best free security plugin that we have come across after MalCare. We highly recommend it for websites that have absolutely zero budget for security. The firewall blocks out most attacks, the scanner detects most file-based malware, and the malware repair feature will help you get rid of most of it. The downside is that there will be a ton of false positives, some missed malware, and the emergency hack clean up services are exorbitant.
We were excited to try out Wordfence, because it is the most widely used security plugin. And after some horrible experiences (read: iThemes), it would be great to see how the plugin dealt with WordPress security.
We’ll go into more detail in later sections, but want to talk about the major aspects of security here first.
Wordfence has a decent scanner, which picked up all the file-based malware we had in our free plugins and themes. But, there are some big caveats about its effectiveness. The scanner cannot detect database-based malware, nor the malware in premium plugins and themes. Additionally, it took a noticeable toll on our website to even run the scan.
Next, we tried the automatic repair of malware. To our delight, it repaired all the file-based malware from the website almost immediately; not the database-based malware though. Come to think of it, this is not great performance for a cleaner, but it was obviously better than the others in this testing series that we were genuinely pleased to see the difference.
The firewall was pretty effective, blocking out most of the major and common WordPress attacks that plague website. One peeve we have here is that the firewall generates a ton of alerts for us. Do we really need to know someone from Germany tried to hack our website 20 times in the last 5 minutes in 20 separate notifications? Nope, we do not. Our inbox was drowned in Wordfence alerts in a few days, and it was impossible to sort the wheat from the chaff. Also, free users get firewall updates later than the premium users, so there is a window of opportunity for hackers to bust into unprotected websites.
There are a fair few security features otherwise as well. Wordfence runs a lean ship, and all other functionality, like updating plugins when vulnerabilities are detected, is left to wp-admin. Makes sense, because why duplicate it on the same dashboard? It has pretty good brute force protection, and the two-factor authentication is robust.
We were enamoured of the immense usability of the plugin too. The language is approachable and straightforward, without the use of excessive jargon. More advanced features intended for power users are tucked away in settings as well.
However, we were surprised to note that there is no activity log as such, barring a most unreadable list meant for Wordfence developers. Also, there is no bot protection for the website at all. Finally, and most damningly for this plugin, it takes a huge amount of server resources to function. So much so that web hosts have banned the use of Wordfence altogether.
All in all, Wordfence is an excellent security plugin, but not the best one for your website. MalCare is the way to go with a superb scanner, effective malware cleaning, and an advanced firewall with real-time updates.
What to look for in a security plugin
WordPress security can be a confusing beast to deal with especially with the considerable misinformation that is available online. One thing is for sure, hackers can cost you revenue, business, lawsuits, out-of-pocket expenses, branding, organic traffic and so much more. The right security plugin will counteract all of that, in addition to saving you time and money to invest in other areas of your business.
We often come across the question: how do you choose the right security plugin for your WordPress website?
The answer is usually a laundry list of features. Some are vital, some not so much. But every plugin wants to sell you on their 100+ features, most of which have little to no impact on your website security. But the list will confuse the issue long enough to make WordPress security a headache again.
So we compiled this essential—and short!—list of security features. You should look for a security plugin that ticks mostly everything on this list, and get other solutions for the features it doesn’t have.
- Essential security features
- Malware scanning
- Malware cleaning
- Good-to-have security features
- Vulnerability detection
- Brute force login protection
- Activity log
- Two-factor authentication
- Potential problems
- Impact on server resources
The only plugin that comes close to hitting all the boxes is MalCare. By choosing MalCare, you are ensuring that your website gets the best available security from hackers and their malware.
iThemes Security vs Wordfence: Head-to-head comparison of features
In this section, we have detailed our findings in case you’re interested in reading more about a specific feature. After 45 days of testing, we had a ton of information and lots of findings. All that is encapsulated here for your reading pleasure.
The features are ordered from most to least important, and we assess both plugins on each factor. Our goal was to present everything we found as fairly as possible, so we haven’t held back anywhere.
If you want to just get to the crux of this exercise though, install MalCare and you wouldn’t have to hear about some of the horrors we uncovered.
Wordfence’s scanner detected file-based malware on our test website, but not the malware in our database. It also missed malware in premium plugins and themes. iThemes Security didn’t scan our website in the first place, so it was obviously not going to find any malware.
After installing Wordfence, it sets up the first scan automatically. So far, so great. Left the scanner to finish, and explored the other features for a few hours. Only to see that it was still stuck at 60%. Considering the site was pretty small, what gives?
Turns out, the 60% isn’t a progress bar, but a percentage indicating the efficacy of the free scanner. To get a full 100%, you would need to upgrade to the pro version of the plugin. Fair enough, but the way it was displayed on the dashboard was very confusing.
We restarted the scan, and were pleased to see it finished very quickly. The scanner flagged most of the malware, although not all of it. The malware it was easily able to detect was in the core WordPress files, and in the files and folders of free plugins and themes. It missed the hacked redirect malware in the database, and any files that were in premium plugins and themes.
We threw a lot of file-based malware at Wordfence, and it detected almost all of it. It has an extensive malware database for the signature-matching algorithm, so we expect that it will detect about 70 to 80% of malware. That is not as good as 95%, like with MalCare, but it is vastly better than all the other security plugins out there. Detection, after all, is half the battle.
The caveats we have with Wordfence are that there are a ton of alerts and a high number of false positives. Both these factors can lead to alerts losing their impact over time, and then there is a real danger a genuine alert could slip through unremarked. Also, the scans take a lot of server resources to execute. We’ll talk more about that in a later section.
The iThemes scanner doesn’t scan for malware at all. It checks if your website is on a blacklist, and that too just the one blacklist. Sucuri also has this check, but they had the decency to, firstly, not label it as a scanner, and, secondly, check more than just Google’s blacklist. Our test sites were obviously not on the blacklist, because they aren’t indexed. So when iThemes’ malware scan report gave us a clean chit for a site full of malware? Not impressed.
iThemes Security doesn’t have malware cleaning, automatic or otherwise. Wordfence can repair malware files, but the effectiveness depends on the malware detected. Wordfence has a premium malware removal service, which clocks in at a hefty $490 per site.
After it is done scanning, Wordfence lists 2 options for dealing with hacked files—apart from a CTA to get professional help: delete all deletable files and repair all repairable files.
The delete option got rid of 1 file successfully without errors, after showing a terrifying message about how deleting files can break your website. It is true, but malware is also scary! Anyway, the option was something of a damp squib, so moved on to the repair option instead. The repair option had a similar warning, but we powered through and it was able to repair most of the files. When we ran the site through MalCare’s scanner, the site was free of malware.
Most of the other security plugins failed at this juncture, so we didn’t have to test much further. We’d gotten our results. However, Wordfence’s malware signature database is comprehensive, so we widened the net.
We added the hacked redirect malware to our website database, with a few instances of the Japanese keyword hack for good measure. We also hid chunks of malware in our premium plugins and themes, suspecting that these things would trip up the scanner and cleaner. And they did.
The conclusion that emerged was that if the Wordfence team has seen the malware, then repairing the files works. Otherwise it doesn’t. Wordfence also fails when there is malware in the database. So malware like that of the redirect hack or even just newer malware will definitely be missed. It will also miss malware in non-core WordPress files or non-public plugins and themes. Wordfence isn’t able to find malware in premium plugins and themes.
In case the automatic repair doesn’t work, you can opt for Wordfence’s malware removal service. The service removes malware, backdoors, and assesses the site for vulnerabilities. Wordfence also helps with delisting the malware-ridden site from any blacklists it may have landed on. The site cleanup is guaranteed for a year, only if the site admin follows the post-hack instructions to the letter. We cannot comment on the malware removal service’s efficacy, as we didn’t try it out.
As we said before, iThemes Security can’t clean malware, so nothing more to be said on that front.
In our experience, malware cleaning is the most critical aspect of WordPress security. It should definitely only ever be done by security experts, because there is huge potential for things to go horribly wrong. MalCare gives you the option to automatically clear malware, and access security experts to help with any issues that might crop up.
iThemes Security doesn’t have a firewall. Wordfence has a web application firewall that protects from most major and common threats effectively. But the free version gets updates later than the premium version.
A WordPress firewall is an important part of your security arsenal, as it keeps out attacks and malicious traffic through the use of rules. In most of the security plugins we reviewed, we avoided explaining the more technical details, as there was no point because the firewalls were either terrible or non-existent. But with Wordfence, things got a little more complicated.
When we installed Wordfence, the firewall went directly into learning mode. This is a required step so that the firewall can understand the site’s normal traffic and therefore block threats more effectively. Since we don’t get any traffic to our websites, we turned off learning mode at once, although it is recommended you keep it on for at least a week.
There is a separate section to manage the Wordfence firewall, so we explored that next. The first time you see it, it explains what a firewall is and what it does to protect your website. It also introduces the term ‘web application firewall’ here with a short description.
After testing both the free and premium firewalls, it is clear that Wordfence has an excellent firewall in both versions. They both kept out a series of SQL injection attacks, cross-site request forgeries, remote code injections, and cross-site scripting attacks. We were not able to exploit plugin and theme vulnerabilities.
That’s when we thought we should dig deeper: what is the difference between the free and premium versions?
In the firewall options, Wordfence explains the difference: the free version loads as a regular plugin, after WordPress has loaded. Plus, the premium version receives real-time rule updates, whereas the free version receives updates after an unspecified length of time.
Both of these things gave us pause.
Firstly, a firewall should load first for the best protection, however most security plugins with firewalls often load after WordPress like a regular plugin. If this is the case, the Wordfence firewall can keep out most of the malicious traffic, but certainly not all of it.
Secondly, Wordfence has the most updated firewall, however non-premium users get updates later on. Even that window is problematic, because hackers can attack during it. When does the free firewall get rule updates: days, weeks, or months later? Who knows.
Unsurprisingly, iThemes doesn’t have a firewall.
iThemes Security cannot detect vulnerabilities, much less help resolve them. Wordfence picked up on all the vulnerabilities we stuffed into the website, regardless of whether they were popular or obscure.
Wordfence flagged all the out-of-date plugins with discovered vulnerabilities correctly as critical threats. We included a bunch of obscure plugins as well to the list, some with less than 200 users. The other plugins weren’t able to pick up on those vulnerabilities, so it is refreshing to see that Wordfence did. The scanner even flagged out-of-date plugins as a medium threat, which is excellent because it is always good to keep everything updated.
You cannot fix vulnerabilities directly from the Wordfence dashboard. Most of the other plugins, like Jetpack and Sucuri, recommended updates and allowed you to carry those out from the same panel. But looking around Wordfence, there is no way to do that. It does take you to the updates dashboard though, which is good enough. There is no logical reason to replicate existing functionality that already exists on wp-admin.
Interestingly, the scanner also showed us errors with the iThemes and BackupBuddy plugins we had installed on one of the test sites. There appears to be coding anomalies in the plugins.
We had hoped that the iThemes scanner checks for vulnerabilities at the very least, considering its abject failure as a malware scanner. Yeah, no.
On top of this, the iThemes dashboard has a counter that indicates how many updates have been made since the plugin was installed. We imagine this poor excuse for a metric is supposed to be helpful to keep track of plugin and theme updates. It really isn’t though.
Brute force login protection
iThemes sometimes blocks brute force attacks, sometimes doesn’t. Wordfence blocks all brute force attacks unerringly.
With iThemes, we saw inconsistent brute force blocks. When we tried entering a series of bad credentials on the login page, iThemes only blocked the attempts on 1 site but not the other. The only difference between both sites was that the first had malware, whereas the second didn’t. Malware is usually the result of a successful login attack, so this difference is unlikely to be the reason. After several hours of trying the tests repeatedly, the results were inconclusive. We finally gave up trying to figure out what appears to be a bug.
After this exercise in deep frustration, we checked out the iThemes logs. Each incorrect login attempt was registered there as a brute force attack, even the time when we genuinely forgot our password. And yet, the plugin didn’t block all of them. Very strange and therefore unreliable.
With Wordfence, we first looked at the settings. Brute force protection is enabled by default, and you can go into the firewall section to customise options.
You can set lockouts for incorrect login attempts, and even how much time a user will experience lockout after a certain number of incorrect login attempts. What is especially great is that they explain what each option does in great documentation, and how to use it most effectively to protect the site.
You can set an allowlist for IPs that are not to be tested by the firewall. We’ve seen this feature in plenty of plugins, but with changing device IPs, it doesn’t make a ton of sense.
The strong password options are here too. You can enforce strong passwords, prevent the use of passwords found in data breaches, and much more.
Finally, we got down to testing, and the brute force protection works exactly as per the settings we picked. Perfect each time.
iThemes activity log doesn’t log all events, so it is useless. Wordfence doesn’t have an activity log at all.
We are huge advocates of the humble activity log. It is a necessary security tool because hackers take advantage of insufficient logging to attack sites. Ideally, you want a reliable log that has the correct information about the goings-on of your website.
So not like the one iThemes has. iThemes activity log holds the promise of good information, like user activity, version management, site scans and brute force attacks. But these are not accurately logged, so cannot be trusted to present the correct picture. Apart from that, there is nothing about plugins or themes.
Wordfence, surprisingly, doesn’t have an activity log. There is an option to enable debugging from the Diagnostics section under Tools, which allows firewall logs to be more verbose. There is a full activity log for Wordfence events only in the Scan section, but that is not the same thing as an activity log. Besides, it is a raw log intended solely for Wordfence developers. By enabling the debugging mode, you will also consume more server resources. It is stated very clearly in that section.
iThemes has superb two-factor authentication which works seamlessly out of the box. Same with Wordfence.
Two-factor authentication works perfectly on both plugins. Both have a great set of options, and minimal setup. With Wordfence, the two-factor authentication used to be a premium feature which they have now enabled for free users as well.
We have only one small observation with the iThemes pro version. There are lots of settings that remove login tokens in the pro version: passwordless login, trusted devices, magic links, and so on. In our opinion, they directly oppose the principle of two-factor authentication by making the logging-in process easier.
Server resource usage
iThemes is very kind to your server resources, as it doesn’t do anything at all. Wordfence is actually banned by certain web hosts because of its immense cost to server resources.
We were pretty excited to put Wordfence through its paces. However, the real surprise came when we checked the performance of the website. The scans doubled, and in some cases tripled, the disk usage of our website, as the Wordfence scans took place. We acknowledge that our test sites are very small, so they don’t consume too many resources to begin with, but it is a significant jump nonetheless. On larger sites, the penalty would be considerable.
In fact, any changes to default settings come with a warning that there will be more server resources consumed. It is then safe to assume that Wordfence uses site server resources to perform all its tasks.
Which is bad enough, but will get much worse with the firewall. Any sustained attacks will overwhelm the website even if it is protected against these exploits.
Server resource usage rarely comes up as a talking point in website security, but often security plugins take a noticeable toll on website performance. So much so that admin have to make a tradeoff between security and usability. We don’t think this should ever be the case, and you can have your cake and eat it too with MalCare.
iThemes is great for your server resources. Can’t say the same for your site security.
iThemes doesn’t send you any alerts. Wordfence sends far too many.
Alerts need to strike the sweet spot between none, and too many. Both are equally bad extremes, because the net result is that you have no clue what the security of your website actually is.
Wordfence’s scanner can generate a lot of false positives, so you don’t really know when your website is really hacked. After a point, it can become like the boy who cried wolf. Same with the firewall. The firewall should just block attacks without raising an alarm each time, as it doesn’t serve a purpose. Therefore, our opinion is that Wordfence generates too many alarms to be at all useful.
iThemes sends a bunch of utterly banal, useless emails: file change notification reports, database backups, and other confirmations of our settings. There is also a daily security digest about our website, and a weekly vulnerability report. We imagine this is for our knowledge, so we can update the offending plugins and themes on our one or many websites manually.
Installation, configuration, and usability
Wordfence installs like a charm. No complex settings and obscure configurations. iThemes, on the other hand, was really hard.
iThemes is deceptively easy to start with, and then slowly devolves into lots of useless settings. There is a lengthy configuration to wade through before the dashboard is even created. To be honest, we should have read the signs and given this one up as a lost cause. But we are gluttons for punishment that power through for the greater good.
Wordfence installation was very easy, and there are no configuration options upfront. The first screen that pops up is the email subscription, which clearly states that you get security news in your inbox. The next screen is a prompt to upgrade to premium. At this point, we didn’t know what features the free plugin had, so we didn’t put in our premium licence immediately.
There is a 3-tooltip walkthrough as you visit the dashboard on wp-admin for the first time. The usability and language is terrific on Wordfence. There are clear explanations given for the features, and how they impact security. It is not overwhelming, nor does it dumb stuff down.
The dashboard design is very intuitive, and you can see at a glance all the important aspects of security related to your website. Overall, our first impression of Wordfence was terrific.
Additionally Wordfence gives you useful recommendations for configuration. The documentation, which you can access from the tooltips on the dashboard, is highly contextual. It clearly lays out what each feature does and why, in addition to how to set it optimally to work on your website. Again, it is noteworthy how the language used is approachable.
After reviewing for the critical aspects of security, and finding iThemes severely lacking, this section seems almost laughable.
iThemes has stuffed the plugin with a great deal of features, which have little to no impact on security. Case in point: the whitelist IP feature. Our device IPs change all the time, so this is no guarantee that certain people will be let through to the site, which is presumably the point.
There is also a file change monitor, which sends a report to your email address every 24 hours. The report contains a list of all the changed files. Not what the change was, who did it, or when exactly it happened. Nope, just an email saying: “Hello! All this on your site is now different from what it was yesterday. Bye!”
Once we got over our irritation, we wanted to acknowledge that iThemes has a good password management system. You can enforce strong passwords, and refuse to allow compromised passwords to be used on the site. We weren’t able to test this conclusively, but again the results were patchy.
There is one useful hardening feature: blocking PHP execution in the uploads folder. The others are nonsense.
Wordfence extras are all strictly security-related. No adjacent helpful features, like updates or user management options. Having said that, there are a lot of extras.
After the initial installation, we saw a notifications section for site updates. On our test site, it showed us that 5 plugins needed to be updated.
There is a Wordfence Central status which allows you to manage multiple sites from the wp-admin of each site. This makes sense if you have a few sites on the same account, but the space is limited and won’t work for agencies with hundreds of sites. Good thing there is an external dashboard. You have to create an account on the Wordfence website to access Wordfence Central. In our opinion, it doesn’t make sense in having the central box on the site dashboard.
We added all the test sites to Wordfence Central and got a bird’s eye view of all them. It isn’t the best layout for anything more than 20 sites. The idea is good, the execution is lacking.
Next we checked out the Tools section. There is a panel for live traffic, which at first glance, seemed like a version of Google Analytics, but turned out to be more than that. You can set the traffic logs to include all traffic or just security related traffic. The logs are great, because there is a clear legend to indicate what kind of traffic the website is getting: human, bot, warning, blocked.
There is also a Whois lookup, in case you want to see who is attacking your website. This is a frill at best, because this feature is easily available online too.
The Diagnostics one is an interesting feature. It contains a whole bunch of information about the website, right from process owners to database tables and more besides. It is like a spec of the website in one place, along with the status of each of those things. Hard to imagine how an ordinary user (non-dev) would use any of this info, but definitely useful for a developer.
What’s missing from iThemes Security and Wordfence
iThemes is missing a scanner, cleaner and firewall. Also, it would be nice if it had functional brute force protection and activity log, and detected a vulnerability on occasion. One can hope.
Wordfence doesn’t have bot protection nor an activity log. Other than that, it is a comprehensive and well-rounded security plugin.
Wordfence vs iThemes Security: Pricing
It is not worth buying iThemes Security, because its only worthwhile feature is two-factor authentication, which is available for free. Wordfence premium is available for $99 for the year, but the free version is strong enough on its own.
Wordfence’s free plugin is really great, considering it is free. The premium licenses are at a max of $99 per site, and get progressively lower with the more licenses you purchase.
The real kicker is the site cleaning service which is a hefty $490 per site, and although they say unlimited pages in the features, additional charges may apply for sites above 10 GB—which, fair enough. They do have a malware removal guarantee for 1 year, but there are caveats in the small print. So read those carefully.
After reading this article, you know that iThemes isn’t worth your money. Use it for two-factor authentication or get a dedicated plugin for that feature.
Better alternative to iThemes Security and Wordfence: MalCare
The best thing you can do for your website is to invest in a good security plugin. The plugin should scan, clean and protect your website from all manner of threats. During our testing series, only one plugin stood out: MalCare. It outshines iThemes in every way, and has a much better scanning, auto-cleaning, firewall, and notifications compared to Wordfence. It is a no-brainer.
MalCare’s $99 Basic plan includes unlimited cleanups, which is equivalent to Wordfence’s $99 plan and $490 per cleanup needed thereafter.
We hope this article helped you decide on a way forward for your website security. If you have any questions or thoughts, do drop us a line. We would love to hear from you!
Karishma was an engineer in a former life, and so she specialises in making tech more accessible through communication. When she isn't writing, Karishma spends her time tinkering in the innards of WordPress websites