Jetpack is built by Automattic, the OG WordPress developer, so it is a popular choice and comes up a lot in recommendations. It also has a lot of other features for website administration built into the premium plans, so having everything on one dashboard is an attractive proposition. 

iThemes talks a great game on their website, and looks like the most affordable WordPress security plugin for multiple websites. At $199 per year for unlimited websites, the more you have, the more bang you get for your buck.

However, there is a lot more to WordPress security than fanfare. We’ll talk about all of that in the article.

iThemes isn’t even worth considering as a security plugin. It doesn’t have a scanner or firewall. Both iThemes and Jetpack have no means for malware removal, so even if Jetpack flagged malware—which it misses 60% of the time—you need to find another way to get rid of it. If you really want to protect your site, MalCare is by far the best security plugin for WordPress.

Summary of Jetpack vs iThemes comparison

There is no real comparison between the 2 plugins: it is like comparing a phone with two cans connected by string.

iThemes Security in a nutshell

We have come to a conclusion that iThemes is a waste of time and money. If you have iThemes installed right now, you should scan your website immediately. Your website literally has no security. 

iThemes is chock full of simple features that may give an inexperienced user the illusion of a secure website. While it doesn’t claim to clean malware, it does claim to scan. Therein lies the rub: the iThemes website doesn’t explicitly state that it scans for malware or that it detects vulnerabilities. It implies it by using the word ‘scan’ in close proximity to the words ‘vulnerabilities’ and ‘malware’. In fact, iThemes’ entire website is deceptively worded to convey that your website is getting great security. 

Spoiler alert: it isn’t. We were tempted to stop testing right there, but powered through in the interest of fairness. 

You can use iThemes to enable two-factor authentication well on your login page, and some other WordPress hardening features, like blocking PHP execution in folders. The brute force login protection works unevenly, only working some of the time. 

We get why at first glance security for unlimited sites at just $199 looks like a great deal. In effect, however, you would be paying for two-factor authentication—with a lot of frills and furbelows—and implementation of reCAPTCHA on your login page.

These features have value from a security perspective, but are not adding any real security to your website. Other, more robust security plugins will have these as par for course. Alternatively, you can opt for a dedicated plugin instead. 

Overall, testing iThemes was an awful experience because we can only imagine how many people are under the mistaken impression that their WordPress sites are protected. If you use iThemes on your WordPress website, you should scan your website right now.

Jetpack Security in a nutshell

Jetpack’s Scan plan has a medium-grade scanner which will find some malware in files. It also did a reasonable job of detecting plugin and theme vulnerabilities. We don’t recommend springing for the Security Daily plan though, because Jetpack is not a good security plugin. It catches only a small fraction of malware, and even the missed 1% will create havoc. We recommend a deep scan to find malware effectively.

Jetpack’s free plan has brute force protection against login attacks, and upgrading to the Scan plan will get you a decent scanner. We also like that Jetpack doesn’t promise anything it doesn’t do, especially when we contrast this against iThemes. 

Jetpack has a good activity log, which is great for debugging issues and an important tool in WordPress security. You can manage all the functionality of your website from an external WordPress.com dashboard, so that is also great. Jetpack also sends you emails when it detects problems which require your attention.

On the flip side, the brute force login protection doesn’t work. That’s bad enough, but what is worse is the missed malware and vulnerabilities. We compared Jetpack’s scan results to MalCare’s, and found that Jetpack wasn’t able to detect around 30% of the malware-infected files. Of the 3 vulnerable plugins, it flagged only 2.  

Granted, no security plugin is perfect and the threat landscape is constantly evolving. However, if we had to choose a security plugin, we would always choose one with better performance. Even if one hack gets through to your website, there will be carnage.

Recommended read: Wordfence vs Jetpack

What you should be looking for in a security solution

A great security plugin saves you a ton of money in real terms. Investing in a security plugin can save you from lost revenue, blocked ads, and poor SEO rankings. But since all security plugins aren’t built the same, how do you choose the best one for your website? 

When we tested the security plugins, we looked for the efficacy and ease of how they performed on the following points: 

• Essential security features
  • Malware scanning
  • Malware cleaning
  • Firewall
  • Vulnerability detection
  • Brute force login protection
  • Activity log
• Good-to-have security features
  • Two-factor authentication
• Potential problems
  • Impact on server resources

Our non-negotiable criteria for a good security plugin is that it should protect your website from hackers and bots, be able to scan your site for malware, and help you clean your website so that it is pristine once again. MalCare does all of these things—and much more—seamlessly, so naturally we have high standards.

Jetpack vs iThemes: Head-to-head comparison of features

When we started testing other security plugins, we realised very quickly that there are a lot of features that have little to no impact on the security of the websites. In some cases, they were placebos, included to make the dashboard and settings screen look better, we imagine. So we refactored our testing process a bit, focusing more on real security features, then on so-called security features, and finally on the other things that make for a good plugin (UI, dashboard, pricing, etc.)

Malware scanning

Jetpack missed most of the malware. To our shock, iThemes detects absolutely nothing.

We tested out Jetpack’s Scan and Security Daily plans, because their free version doesn’t have a scanner at all. 

We threw a lot of malware at Jetpack, and it flagged some of the files which had malware. Some of the files which had bad code weren’t flagged at all, so the scanner definitely isn’t 100%. The alarms were essentially meaningless, because they showed up as “malicious code pattern”. 

If we had tested Jetpack first, we wouldn’t have been too impressed with this. But, as luck would have it, we tried iThemes first. And boy, did that set the bar low. To our utter disbelief, we realised that the iThemes scanner only checks if the website is listed on Google’s blacklist. 

That’s literally the extent of its scanning capabilities. Both our bad test sites got a clean chit of health from iThemes, because they aren’t on Google’s blacklist. 

Malware cleaning

Both Jetpack and iThemes don’t claim to clean malware, so they obviously cannot and do not. 

Jetpack plan details gave us the faint hope that some malware may be fixed automatically, but none of our hacked files were fixable. The plugin suggests we contact a service provider to get the malware removed, or try removing it manually and then running the scan again. In an effort to be helpful, the bad code is marked in the scan results, so presumably we can delete it from the file. 

Considering that iThemes cannot scan for malware, it follows that it cannot clean malware. In their defense though, they don’t claim to be able to. 

Malware cleaning is the most difficult and fiddly part of dealing with a hack, and therefore hack removal services charge exorbitant amounts to do it. MalCare has an auto-clean feature built right into the plugin (and the subscription), therefore obviating the need for hack removal services altogether.

Firewall

There are no firewalls here. 

One of the critical parts of WordPress security is a firewall. Firewalls keep out malicious traffic, and therefore protect your website from hackers. Hackers look for vulnerabilities to exploit on websites, and firewalls are instrumental in being able to do that. 

Neither Jetpack nor iThemes have a firewall. Know which plugin has an intelligent firewall, specifically designed to protect WordPress websites? MalCare. 

Vulnerability detection

Jetpack detected most of the vulnerabilities on our test sites. Again, iThemes fell short, detecting nothing. 

Jetpack was able to pick up on vulnerable plugins, and offer an auto-fix option for those—which is essentially to update them. Because Jetpack’s Security Daily plan has integrated backups, we were able to test this out, and it worked seamlessly. Our only caveat here was that the scanner only picked up on 2 out of the 3 vulnerable plugins. 

iThemes is incapable of checking plugin and theme versions from the looks of it. It does have an extremely redundant counter on the dashboard which shows you a summary of updates that have been done.

Brute force login protection

Jetpack blocks repeated failed login attempts elegantly. iThemes’ login protection is unreliable. 

iThemes marks every mistaken login as a brute force attempt, which was unnecessarily alarming. When we tried to brute force the login page for 2 of our test websites, iThemes blocked the attempt on just 1 site.

The difference between the websites is that one had malware, and the other didn’t. We tried on the third site as well, and the brute force protection didn’t work at all. Overall, the results were inconclusive. We figured that the feature works sporadically, which makes it useless.

Jetpack offers brute force attack protection on their free plan. Login attempts are not limited, but you will see an unobtrusive numeric challenge added to the login page after 10 failed attempts. It logs all failed attempts after the first 3 as malicious login attempts, which is fair. 

We also expected our IP to get blocked after trying 50+ incorrect logins in less than a minute. The expectation was largely fueled by the option to whitelist admin IPs to prevent lockouts. Lockouts are the bane of poorly coded security plugins, so that’s probably why this option exists at all. At any rate, we tried to force an IP block, but couldn’t.

Activity log

Jetpack’s activity log is great, although data is only available for 30 days. iThemes logs are incomplete, and therefore not useful.  

An activity log is a critical tool for protecting websites, because hackers take advantage of insufficient logging to attack sites. iThemes logs user activity, version management, site scans and brute force attacks. We didn’t see any other types of activity logged during our testing window. Taken in isolation as an activity log, we would rank its performance as fair. It would have been better to have seen changes that plugins made to settings. For instance, we installed Jetpack at the same time, and it changed lots of settings. None of this appeared on the activity log. 

However, when we consider iThemes activity log together with the non-existent scanner and the patchy brute force protection, our rating plummets. The logs are where admin would go to check on the security status of their website. It is supposed to be a snapshot, and it just doesn’t paint the correct picture. 

Jetpack, on the other hand, has a superb activity log. You get a taste of it on the free plan, but you see it really kick in on paid plans. It tracks all user actions, threats (this is on a premium plan, of course), and even changes to settings. The activity screen also acts like a mini-dashboard, indicating things that need attention like outdated plugins and themes, or malware. 

Our only caveat with Jetpack’s activity log is that even the premium version has data for only 30 days. It isn’t enough. 

Two-factor authentication

iThemes has a robust two-factor authentication feature. Jetpack doesn’t have this feature at all. 

Fun story: Two-factor authentication is the first feature we tested with iThemes, and we were quite favourably impressed. There are a lot of customizations possible, and it works seamlessly out of the box. Users can have their token of choice, and it works great. 

However—yes, there is a ‘however’—the pro plan had a bunch of so-called features which actually removed other login tokens; namely passwordless login, trusted devices, and magic links. All these options provide alternative methods to login into an account, and honestly negate the entire point of two-factor authentication: which is an additional, real-time login token. So we were left bemused by this. The solution is not to use those features. 

Jetpack doesn’t have two-factor authentication.

Server resource usage

Jetpack scanning puts a load on the server resources. iThemes didn’t because, well, it doesn’t do anything. So there is no question of server usage. 

Now this is an interesting one. Many people don’t consider how much load their security plugins put on their website servers. Unless they get an email from their hosting provider, perhaps. For smaller sites, this might not be a big deal. But for big sites? You absolutely have to consider the implications. 

iThemes, we can safely ignore because no scan-no protect-no clean means no load. It actually wins this point, because even a broken clock is right twice a day. 

Jetpack made our server resources spike during scanning. Our site barely clocks in at a 60 MB database, so it really is a lightweight site, to begin with. If our website was heavier or an e-commerce site, the impact would be much more visible—and therefore is a cause for concern.

Alerts

Jetpack sends email alerts for detected malware and vulnerabilities. iThemes sends no alerts whatsoever. 

If something goes wrong with your website, you want to know immediately so you can address it. Jetpack alerts you to the presence of malware and potential vulnerabilities instantly after the scan completes. There are also dashboard notifications for malware. This is great, because these alerts are mission critical. You want to know instantly when things are bad. 

However, we also tested the downtime monitoring feature, because it came as part of the plan and we were curious as to how Jetpack handles downtime. Turns out, Jetpack didn’t alert us when our sites went down. We tried crashing the site in various ways: renaming the index.php file so we got a Forbidden error; renaming the wp-load.php file so the website couldn’t be reached, and more. None of these things caused a blip on Jetpack. 

Downtime monitoring is not strictly a security feature, but downtime is one of the symptoms of malware. Quite apart from that, we would want to know the second our site went down. It really is that critical. So we are conflicted on how to rate alerts for Jetpack: from a security angle, they work; but they still don’t fulfil the promises that they make. This makes us wary about trusting the plugin at all. 

By this point in the article, you know that iThemes didn’t do anything useful. We got file change reports, notifications for when we took a database backup, joined the brute force network, and other confirmations. In addition, we got a daily security digest with absolutely useless info, and a weekly email with the list of WordPress vulnerabilities that had been discovered.

Perhaps we are supposed to check our website themes and plugins against this handy list, and take necessary action. However, we got tired of doing that for one site; forget the other two. It is impossible for anyone with a sizeable number of websites to manage.

Installation, configuration, and usability

Again, Jetpack trumps iThemes here. In what we presume is an effort to appear competent at security, iThemes has filled the entire plugin with noise. There is just no other way to describe it. 

iThemes installation appears to be easy. There was no need to create an account to get started, which helped us get started right away. You can choose to configure settings at installation, or skip to do so later on. But if you skip config, your security dashboard is not created. That’s where the easy part came to a screeching halt.

The configuration options are confusing for a new user. It gives the impression of granular control, but has no real impact on security. We waded through all the settings to understand what we needed to do to have a secure website, but ultimately it was a waste of time with iThemes. 

Jetpack installation was a little painful. You can’t move forward with any of the security features, unless you create or connect a WordPress.com account, which serves as the external dashboard.

Also, you keep getting prompted to choose a plan, and you are taken away from wp-admin several times to do that. Finally, to get at least a first impression of the plugin, we went with a Scan plan. The configuration was much, much easier though, because you aren’t presented with an avalanche of customisations and unnecessary options. Do we really need to customise the brute force email that goes out to admin, iThemes? No we really do not!

The iThemes dashboard is useless, because there is no real security-related info there. Brute force logs are meaningless if the attempts are not logged correctly. We don’t need a list of scans about whether or not our site is on Google’s blacklist. The Jetpack wp-admin dashboard was better, but only slightly. As a free user, you will mostly see what your plan can, but doesn’t, do. There will be a counter for malicious attacks prevented, but no granular data about those attacks. Just a number is a vanity metric for Jetpack, and perhaps a soothing one for skittish admin.

iThemes: Extras

We’ve seen a lot of complaints about admins being locked out of their websites by iThemes. So presumably this is why they have an elaborate IP whitelist feature that even detects your current IP. We tried this a couple of times, and because device IPs can change, the whitelist had several IPs. Interestingly, this is supposed to reassure people that they won’t get locked out of their website. However, based on our learnings, you can’t actually get locked out of your site with iThemes anyway, and it has nothing to do with the whitelist. 

Next, iThemes has a file change monitor. Monitoring file changes is of limited security value, because files can also be edited to show an inaccurate timestamp. We were also perplexed to see that there is a file extension exclusion list, which includes filetypes that are known to carry malware like .ico files, for example. 

iThemes has an extraordinarily granular user management system. You can configure settings right down to the user role. However, hidden in all this noise are some pretty good password management policies: enforce strong passwords and refuse compromised passwords. You can also have application passwords that are distinct from your account password, so you can use XML-RPC. 

Finally, iThemes has some hardening features, which we have debunked in other articles as being counterintuitive. For instance, don’t change your login URL. iThemes themselves say it is a bad idea. You can disable the file editor, but it is of limited value because a hacker with admin access can install a plugin instead. 

The one feature we thought made sense is to block PHP execution in the uploads folder. However, iThemes also suggests that you do it for the plugins and themes folders, and that is sheer madness. Some plugins have scripts that need to be accessed directly, and are sure to break in this case. It is impossible for a normal user to determine if this is the case.

Jetpack: Extras

Jetpack bundles backups with their security. Obviously we are huge advocates of backups, so we are totally pro this feature. We didn’t test it out, because technically it is not a security feature, but a really good-to-have in all cases. 

Surprisingly, Jetpack also has preventing lockout as a feature. According to their website, your IP can get blocked as part of the brute force protection, but we didn’t come across a block when we tried to brute force the login screen. You can add your IP address to this whitelist, but with changing IP addresses for devices, this is not useful. 

When you create a Jetpack account, you are actually creating a WordPress.com account. That also serves as your external dashboard, and the vast majority of information is shown here. Jetpack on your wp-admin is more of a snapshot.

What’s missing from iThemes and Jetpack

Both Jetpack and iThemes don’t have a firewall, so are unable to protect websites from certain types of attacks. This is a glaring problem, because if you have vulnerabilities on your website, a strong firewall can significantly reduce the number of exploits.

We would have liked to see a few more hardening features in Jetpack as well, and frankly the security features could be more robust.

Jetpack vs iThemes: Pricing + final thoughts

iThemes is a waste of money. Jetpack’s Scan plan is $80 per site per year for an average scanner; the Security Daily plan is not worth the price. 

If you’ve read any part of this article, you know that iThemes is not worth a dime. Its sole saving grace is the two-factor authentication, which you can get with the free plan. The Pro plan teeters on the edge of being a scam. 

Jetpack’s scanner isn’t perfect. It didn’t catch all the malware, nor all the vulnerabilities. However, it was helpful in terms of pinpointing files with malware. There is no malware cleaning to speak of, so in our opinion, the Security Daily plan is not worth considering from a security perspective. 

The free plan is a non-starter. Brute force protection is an important feature, but we would have liked to see scanning at least here as well. There is no way we can check for the presence of malware on the free plan.

Better alternative to iThemes and Jetpack: MalCare

The best security you can get for your WordPress website is to invest in a good plugin that gives you scanning, cleaning, protection. MalCare is a vastly better alternative to both iThemes and Jetpack in every one of our testing criteria. 

In fact, MalCare’s $150 Plus plan is comparable to Jetpack’s $300 Security Daily plan, with better features and at half the price. There is just no contest. 

Recommended read: Wordfence vs iThemes security

Conclusion

If you have to economize, the security of your website is not the place to do it. Paying for a premium security plugin to protect your website is a good investment because it is far more expensive to deal with the consequences of malware. 

Have any thoughts to share? Do drop us a line. We would love to hear from you!