iThemes Security review

iThemes Security is a widely used WP security plugin. According to its official WP repository listing page, this WordPress extension is currently protecting over a million sites. IS has a good rating as well. It was formerly known as Better WP Security but was rebranded due to some reason. In addition to rebranding the extension, the developers made substantial changes to the UI to make it less complicated.

Is iThemes Security good enough to protect your website? Can it block attacks and harden your site’s security? Is its new/revamped user interface easy to use? Go through our review of this plugin to get the answer to these questions.

iThemes Security ships with a setup wizard. The wizard has these six parts – Site type, Features, User groups, Configure, Notifications, and Secure site. Let’s have a comprehensive look at the parts of the wizard.

Site type

Users are asked to select the website type when they visit the iThemes Security settings page after activating the plugin. These are the website types users can select – eCommerce, network, non-profit, blog, portfolio, and brochure. After choosing the website type, users must choose the user type. You can select these user types – self, and client. Once you choose the type, iThemes Security shows a list of user roles. You must select an appropriate role from this list. IS then shows a toggle option to “enforce a password policy”.


The Features section lets users activate two-factor authentication, enable local/network brute force attack protection, and turn on the security check pro function. This function will make the plugin check the IP addresses of users accessing the site on iThemes servers. To enable it, you can enter the API key. You can get the key from the official website of the extension. iThemes Security can also detect changed important WordPress core files and schedule site scans. According to its developer, this method of checking IPs is more accurate.

User groups

iThemes Security will load this part once you have configured the features and site type settings. The User Groups section can prevent users from modifying the plugin’s settings and allow/disallow users from creating a new security dashboard. It enables users to use a strong password and make the plugin check the “Have I been pwned” database for password breaches. IS won’t look up the entire password in the database but will only check the first five characters. Each WordPress user has its own User Security setting, and you can also create a new user group in IS.


iThemes Security’s brute force attack function can lock out the website admins too. You can prevent this by entering the admin’s or any other user’s IP in the form appearing in the Configure section. The plugin lets you choose the IP address detection method. It supports these two methods – automatic and manual. You can also configure it not to detect IP addresses and use only the IPs you specify while locking out users trying to access your WP dashboard. The Configure section has one more section – Lockouts. From the Lockouts section, you can enroll yourself/your site in a network of websites that report bad IPs, etc, to the iThemes Security team by entering your email address in a text box you’ll find in this form.


If you want to be updated with the security-related activity on your website, enter your email ID in the form appearing here. Below the textbox for entering the email address, you’ll find a list of user groups. Some of the groups are pre-selected. The email addresses belonging to your chosen user groups will get email alerts.

Secure Site

This section shows important settings you may not have configured and must configure to secure your site.

In case you quit the wizard in the midst, you can resume the wizard from the point you left. When the wizard exits, iThemes Security will add a dashboard option under the “Security” menu. The dashboard page shows several cards. It boasts an option to back up the database and shows the number of hosts/users blocked by the plugin. IS also flaunts an option to run a site scan and shows a graph of brute force attacks. It shows the list of IP addresses banned by the extension. You can reorder the cards or enable/disable any card of your choice.

Database backups

As mentioned above, the Dashboard page enables you to back up the website database. You can schedule backup tasks in iThemes Security and configure the plugin to save the backup locally, send the backup to the inbox of the users, etc. IS can compress the backup before saving it on the server or sending it to the user’s inbox. You can configure it to exclude certain DB tables from the backup or include specific tables in the backup.


iThemes Security log page features every activity of the extension and the user while using the plugin. The log page shows these columns – module, type, time, host, user, and details. To see more details of the activity, click the “view details” link that appears in the column “Details”.

Pro features

iThemes Security Pro edition ships with a better site scanner module. This module will not only scan files but will also try to patch them to make sure your site is working normally. The plugin’s Pro version offers an interesting feature called “trusted devices”. It also allows users to activate the passwordless login features and can add reCaptcha to the forms. It ships with the WordPress Tweaks function and offers a version management tool. Pro users also enjoy premium ticket-based support from the iThemes Security development team. If you want to enable/use these features for your site, you should buy one of these two subscription plans – Basic or Plus. The Basic plan costs 80 dollars. The Plus plan is available for $127.


  • Less complicated.
  • UI is simple.


  • Some options are slightly difficult to reach (for example, backups).

Pramod is the founder of wptls. He has been using WordPress for more than nine years. He builds web applications, and writes about his experiences with various WP products on this site.

Leave a Reply

Your email address will not be published. Required fields are marked *