Best WordPress Security Plugin

Best WordPress Security Plugin

WordPress sites are attacked by hackers every day. Many sites fall prey to hackers simply because they’re not secure enough. They don’t have enough to protect them. Some only have simple protection that hackers have little trouble getting around. Many sites have weak passwords, obsolete software with security holes, and plugin vulnerabilities. According to iThemes, an average of 30,000 new sites are hacked per day.

Website security is not something you want to play around with. A website with weak security can do a lot of damage to your business, reputation, and your readers and customers. To protect your site from hackers, it’s best to plug up the holes, strengthen your site against specific types of attacks, and strengthen user credentials. iThemes Security plugin does that and more. In fact, it’s one of the most comprehensive and feature-rich security plugins available. It’s available in both a free and premium edition. Let’s take a look, shall we?

Overview of Plugin

iThemes Security touts itself as the #1 security plugin for WordPress. Big claim, but with over 30 features to protect your site, iThemes puts its money where its mouth is. And users agree, giving it a rating of 4.7 out of 5 with downloads approaching 4 million.

To get a better understanding of its features, I took the plugin for a test drive. I installed the free edition on a test site. Here is what installing it looks like. Next we’ll take a look at the dashboard.

Installation and Setup

After the install, you’re given several options. The first option is to protect your site by taking it to the next level with iThemes Brute Force Network Protection.

Secure Your Site Now

Clicking the button to secure your site now gives you a popup with several choices.

Choices include:

  • Back Up Your Site – back up your database before securing your site. Includes posts, pages, comments, and user information. For media files, themes, and plugins you’ll want to use BackupBuddy.
  • Allow File Updates – automatically updates your wp-config.php and .htaccess files
  • Secure Your Site – enables default settings that do not conflict with your plugins and themes
  • Help Us Improve – allows iThemes to collect anonymous data about what features you use to help improve the plugin’s features.

Click each one. When it’s complete it will take you to the dashboard.

The Dashboard

There are several features on the dashboard. Here’s the rundown:

Don’t Lock Yourself Out

The plugin tries to keep strange activity from happening on your site. If it detects anything it doesn’t like, it will lock you out. You can get around this if there are issues with your site that you need to work on. Clicking Temporarily Whitelist my IP will white list your IP from lockouts for 24 hours. You can still be locked out if your IP changes.

Getting Started

This section includes a 3-minute video that shows you how to secure your site using iThemes Security plugin. It gives a quick-start guide of the basic settings.

This section also includes an option to get expert help or upgrade to the pro edition.

Security Status

The security status of all of your items are shown by their priority that includes high, medium, and low. Each task has a fix it button. I used it on a test site to see what the tasks were. These were highlighted in red. Here is the run-down:

High Priority

  • Your site is not performing any scheduled database backups
  • Malware scanning is not enabled

Clicking the first one took me to the scheduled backup section in the settings screen where I could turn on scheduled settings and choose the interval (3 days was default).

Clicking the second button took me to the malware scanning settings in the settings screen. Clicking this one asked me for an API key. To get this key simply visit VirusTotal and set up a free account.

Medium Priority

  • Your website is not protected against bots looking for known vulnerabilities. Consider turning on 404 protection.
  • Your login area is partially protected from brute force attacks. We recommend you use both network and local blocking for full security.
  • Your WordPress Dashboard is using the default addresses. This can make a brute force attack much easier.
  • You are not protecting common WordPress files from access. Click here to protect WordPress files.
  • XML-RPC is available on your WordPress installation. Attackers can use this feature to attack your site. Click here to disable access to XML-RPC.
  • Users can execute PHP from the uploads folder.

This is a short list of the medium priority tasks. They were highlighted in yellow. Clicking on the fix it button for each one took me to the settings where I could enable it and make any adjustments I wanted. Some were advanced settings.

Next was Low Priority followed by System Information which included information about the database, server, PHP version, and more.


Settings include:

  • Global
  • 404 Detection – locks out someone that gets too many 404 pages (possible hackers)
  • Away Mode – disable access to the dashboard during times you don’t use it
  • Banned Users
  • Brute Force Protection – bans users after too many failed login attempts (I got a notice of this happening within minutes of turning this plugin on)
  • Database Backups – schedules backups to email and any other location you choose
  • File Change Detection – lets you know when changes have been made
  • Hide Login Area – hides the login page from automated attacks and simplifies login
  • Malware Scanning
  • SSL – you choose which pages run SSL
  • Strong Passwords – forces users to have strong passwords
  • System Tweaks
  • WordPress Tweaks

Advanced Settings

Advanced settings include:

  • Admin User – removes common attributes
  • Change Content Directory – makes it more difficult for hackers to find problems
  • Change Database Prefix – makes it harder for scripts to find your database


This is where you can create backups or change the settings for your backups. You can also learn about using BackupBuddy.


This will show you all of the activity that the plugin has detected. It includes work that you’ve done such as backups and malware scans, activities by other users, invalid login attempts, and much more.


Help is more than just a few documents to read. It includes:

  • Community support from
  • Support Pro Features with iThemes Security Pro
  • Have a Pro Secure Your Site
  • Hack Repair

Thoughts on Using iThemes Security

Setting it up and getting started was fast and easy. You can get it up and running by simply clicking the default settings button. I chose the default settings and only had to make adjustments as I clicked “Fix It” in the high and medium priority issues. There are LOTS of features and settings so you can tweak it pretty much any way you want to.

The most impressive part to me is that everything I’ve covered so far is in the free edition. So now let’s take some time to look at the Pro edition.



The Pro edition adds even more features to this already feature-rich plugin. Here’s a list of Pro features:

  • User Action Logging – track when users login, logout, or edit content
  • 2-Factor Authentication – use Google Authenticator or Authy to send a custom code to your phone for logging in
  • Import/Export Settings – great for setting up multiple WordPress sites
  • Malware Scanning – set up schedules for scanning
  • Password Expiration – have users passwords expire based on time
  • Generate Strong Passwords – generate strong passwords from the profile screen
  • Dashboard Widget – manage tasks from the WordPress dashboard.
  • Online File Comparison – it will scan changed files to determine if the change was malicious
  • Temporary Privilege Escalation – give someone temporary admin or editor access to your site. It will automatically reset itself.
  • wp-cli Integration – manage security from the command line
  • Google reCAPTCHA

They are currently working on expanding the feature-set for the Pro edition, too. One feature is Geo-IP banning. This will let you block IP’s by country if you’re getting lots of spam and brute force attacks from a specific country. You can view and discuss plans for upcoming features on their public Trello board. Other features they are showing on their Trello board are:

  • Settings Migration
  • Plugin and Theme Blacklist
  • Use alternative domain for WordPress dashboard
  • Federated Authentication
  • Sleep Mode


There are several pricing options available.

  • Personal – $80 and gives you 2 licenses. This is a good choice for personal websites.
  • Business – is $100 and gives you 10 licenses. This is a good choice for multiple business sites.
  • Developer – is $150 and gives you unlimited licenses. This is perfect for designers and developers.
  • Plugin Suite – is $247 and gives you the Developer license for all 20 of iThemes plugins.


There are several tutorials on video to help get your started and make the adjustments you want:

Wrapping Up

iThemes Security is one of the best and most feature-rich plugins to easily secure your WordPress site. While it’s not possible to achieve 100% security online, using iThemes Security plugin will eliminate most threats. It has some of the best features available in a security plugin. Setting it up is easy and using it is intuitive. I tried it with several themes and plugin configurations and had no issues with it.

Have you tried iThemes Security plugin? Do you use one of these alternatives? Did I leave out your favorite security plugin? I’d like to hear your thoughts in the comments below!


Click Here to Leave a Comment Below 0 comments

Leave a Reply: