iThemes Security review: beginner-friendly WordPress security

iThemes Security is a user-friendly WordPress security plugin that protects your site with 50+ security features. The plugin was formerly known as iThemes Security Pro and has been rebranded to Solid Security after acquisition by SolidWP. With over 1 million active installations, it's a popular choice for site owners who want security without technical complexity.

The big difference from technical plugins like Wordfence is the beginner-friendly approach. iThemes Security uses clear language and toggle switches instead of technical jargon. Each setting has a clear explanation of what it does and why it's important. This makes security accessible for non-technical WordPress users.

The free version offers basic protection with login security, ban management, and security hardening. iThemes Security Pro costs €99 per year and adds two-factor authentication, scheduled malware scanning, password management, and version control. The Pro version is worth the investment for professional sites needing comprehensive protection.

What exactly is iThemes Security?

iThemes Security is a comprehensive security plugin that secures your WordPress site in multiple areas: brute force protection, malware detection, login security, database backups, and security hardening. The plugin scans your site for vulnerabilities and offers one-click fixes for common security problems.

The plugin organizes features into categories: Site Security, User Security, Advanced Security, and Notifications. Within each category, you find toggle switches to turn features on or off. This modular system lets you choose exactly which protection layers you want without being overwhelmed.

iThemes has a Security Check dashboard showing your current security level with a score. Each recommendation has an impact indicator (high, medium, low) so you know which fixes are most important. This gamification element motivates users to improve their security.

Dashboard and ease of use

The iThemes Security dashboard is clearer than competitors. The main page shows your security score, recent lockouts, and important warnings. Instead of technical logs, you see understandable summaries. A green checkmark means all OK, orange warning requires attention, red is critical.

The Settings page is organized with collapsible sections per feature group. You don't need to navigate through endless tabs like with Wordfence. Each setting has an info icon explaining what it does, why it's important, and what impact it has on your site.

iThemes integrates naturally with the WordPress admin. There are no separate dashboards or external services needed. Everything happens within your own WordPress installation. This makes it intuitive – if you understand WordPress, you understand iThemes Security.

Installation and initial setup

Installation is done via Plugins > Add New in WordPress. Search for "iThemes Security" or "Solid Security" (both names work) and click Install and Activate. The free version installs by default. For Pro version, buy a license at ithemes.com and enter the license key.

After activation, iThemes starts a Security Check wizard. This scans your site for configuration problems and shows known issues. Think of: admin username still "admin", file permissions too broad, WordPress version outdated, or no SSL certificate.

Wizard guided setup

The wizard offers quick fixes for found problems. With one click, you can set safe file permissions, change admin username, disable XML-RPC, and modify database table prefixes. Each action has a description of what it does and why it helps.

For non-destructive fixes like blocking author enumeration, you can just click. For impactful changes like changing database prefixes, iThemes asks for confirmation and advises a backup. This caution prevents beginners from breaking their site.

After the wizard, you get a security score. This is a percentage of recommended features you've activated. Most sites start around 40-60%. By implementing recommendations, you raise the score to 80-90%. A perfect 100% is often not necessary and can negatively affect usability.

Essential initial settings

Go to Security > Settings and activate Local Brute Force Protection. This limits login attempts per IP address. Set it to 5 attempts in 15 minutes. Stricter settings can lock out legitimate users. iThemes stores banned IPs in your database.

Enable Change Content Directory. This renames the wp-content directory to iThemes-content-* with a random string. Hackers expect the standard WordPress directory structure. By changing this, you make automated attack scripts ineffective. Note: this can cause compatibility issues with some plugins.

Activate File Change Detection for Pro users. This monitors your core WordPress files, plugins, and themes for unauthorized changes. If a hacker injects a backdoor, iThemes detects this and sends an alert. Free users unfortunately miss this feature.

Brute force protection

Brute force attacks try to log in by testing thousands of username/password combinations. iThemes Security blocks these attacks by limiting login attempts and banning suspicious IPs. This is the most common WordPress attack and the first line of defense.

Login limiting and lockouts

Local Brute Force Protection counts wrong login attempts per IP address. After the specified maximum (default 10 in 5 minutes), that IP is temporarily banned. The ban lasts 15 minutes by default but is configurable to permanent.

iThemes shows locked-out IPs in an overview with timestamp, username they tried, and how many attempts they made. You can manually whitelist or blacklist IPs. Whitelisting is useful for your own office IP if you often forget passwords.

Network Brute Force Protection (Pro) synchronizes with iThemes' cloud database of malicious IPs. If an IP address performs attacks on the iThemes network, it's automatically banned on your site too. This gives you crowd-sourced protection against distributed attacks.

Login page modifications

iThemes can change your login URL from the standard /wp-admin and /wp-login.php to a custom slug like /mysecurelogin. Hackers targeting standard URLs get a 404 error. This is security through obscurity but helps against automatic scanners.

Note: if you forget your custom login URL, you're locked out. iThemes offers an emergency solution via adding a specific file via FTP that resets the login URL. Document your custom URL well.

CAPTCHA integration (Pro) adds Google reCAPTCHA to your login form. Bots can't solve CAPTCHA and are blocked. This effectively prevents automated brute force scripts. The trade-off is extra friction for legitimate users.

Two-factor authentication (Pro feature)

iThemes Security Pro offers built-in 2FA without extra plugins. Two-factor authentication requires a second verification step after your password: a code from an authenticator app. Even if your password is leaked, hackers can't log in without your phone.

2FA implementation

Users can activate 2FA in their WordPress profile. iThemes shows a QR code you scan with Google Authenticator, Authy, Microsoft Authenticator, or other TOTP apps. The app generates a new 6-digit code every 30 seconds.

At login, you first enter your username and password. If correct, iThemes asks for your 2FA code. You open your authenticator app, read the code, and enter it. After verification, you're logged in. This process adds 5-10 seconds to login but dramatically increases security.

Admins can require 2FA for specific user roles. This is essential for administrators and editors with many privileges. Authors and subscribers can optionally use 2FA. Forced 2FA prevents users from ignoring it.

Recovery and backup codes

During 2FA setup, iThemes generates recovery codes. These are one-time codes you can use if you lose your phone. Store these codes safely in a password manager or print them and store physically.

If you're without phone and without recovery codes, you must disable 2FA via database access or FTP. This requires technical knowledge. So ensure you safely store recovery codes before activating 2FA.

iThemes also supports email-based 2FA as fallback. Instead of an authenticator app, it sends a code to your email. This is less secure (emails can be intercepted) but better than no 2FA.

Password management (Pro)

iThemes Security Pro scans all user accounts for weak passwords. It can enforce password policies requiring users to use strong passwords with minimum length, special characters, and numbers.

Password strength enforcement

The plugin can set minimum password lengths per user role. For example: administrators minimum 14 characters, editors 12, authors 10. Weak passwords like "password123" are automatically rejected.

Password age limits force users to periodically change their password. You can set passwords to expire every 90 days. This is best practice for high-security environments but can be annoying for small teams.

iThemes integrates with the Have I Been Pwned (HIBP) database. This is a collection of billions of leaked passwords from data breaches. If a user tries to use a password appearing in HIBP, iThemes refuses it and warns that the password is compromised.

User session management

Session timeouts automatically log out users after a period of inactivity. This prevents unattended computers from remaining logged in and being misused. You can set different timeouts per user role: admins after 15 minutes, editors after 30 minutes.

iThemes can also limit concurrent logins. By default, the same user account can be logged in from multiple locations simultaneously. By blocking concurrent sessions, you prevent account sharing or credential theft. If someone logs in elsewhere with your account, you're automatically logged out.

File change detection and monitoring (Pro)

File Change Detection is a powerful Pro feature that monitors all files in your WordPress installation for changes. If a hacker injects a backdoor or compromises a plugin, iThemes detects this and warns you.

How does file monitoring work?

Upon activation, iThemes scans all files and creates checksums (hashes). This baseline is stored. On subsequent scans, iThemes compares new checksums with the baseline. If a file has changed, you see a warning.

You get detailed information: which file changed, when, and what changed. For text files, iThemes can show a diff (what was added or removed). This helps you distinguish whether a change is legitimate (you updated a plugin) or malicious (hacker injects code).

Scheduled scanning runs daily or weekly at a chosen time. Real-time monitoring is not available – scans are batch jobs using CPU. On shared hosting, you better run scans at night.

Excludes and false positives

Some legitimate files change frequently: cache files, log files, uploads. iThemes lets you exclude directories from monitoring. By default, common cache and uploads directories are already excluded. You can add custom exclusions to reduce false positives.

After a plugin update, you expect that plugin's files to change. iThemes doesn't know this automatically, so you get warnings. You must review these warnings and mark them as "legitimate" to accept the new baseline.

For sites with many plugins and frequent updates, this can become tedious. However, it's the trade-off for early detection of compromises. A single backdoor detection justifies the effort of periodic review.

Database backups (free feature)

iThemes Security includes built-in database backup functionality. This is unusual for a security plugin – backup is typically a separate plugin like UpdraftPlus. iThemes adds it as an extra security layer.

Backup scheduling and storage

You can schedule automatic database backups: daily, weekly, or monthly. Backups are stored locally on your server in a protected directory by default. You can also send them to email or sync via FTP to an external location.

Note: iThemes only backs up your database, not your files (uploads, themes, plugins). For complete site backups, you need a separate backup plugin. The database however contains your content, settings, and user data – the most important to secure.

Retention settings determine how many backups are kept. By default, this is the last 10 backups. Old backups are automatically deleted to save disk space. For sites with many transactions (like webshops), 10 backups can quickly become outdated.

Restore process

Restoring from a backup must be done via phpMyAdmin or other database tools. iThemes has no one-click restore function. You must download the backup SQL file and manually import it. This requires technical knowledge.

For non-technical users, this is a disadvantage. Dedicated backup plugins like UpdraftPlus have one-click restore. iThemes' backup feature is more an emergency fallback than a complete backup solution.

Free vs Pro features

iThemes Security free offers solid basic protection. You get brute force protection, ban management, database backups, file permissions hardening, and WordPress security hardening. For small sites and blogs, the free version is sufficient.

iThemes Security Pro costs €99 per year for one site. This adds critical features the free version lacks: two-factor authentication, scheduled malware scanning, file change detection, password management, and user activity logging. For professional sites, Pro is a must-have.

Pro exclusive features summary

Two-factor authentication: Require 2FA for all or specific user roles. Supports TOTP authenticator apps and email-based codes. Free version has no 2FA, you must use a separate plugin.

Site Scanner: Scheduled malware scans look for known malware signatures, backdoors, and compromised files. Free version has no scanning capabilities. Scans run via iThemes' cloud service.

File Change Detection: Monitors all files for unauthorized changes. Detects injected backdoors and modified core files. Essential for early detection of hacks.

Password Security: Enforced password policies, HIBP integration, password age limits. Scans all users for weak credentials and forces stronger passwords.

User Logging: Detailed audit logs of all user actions: logins, file uploads, post edits, settings changes. Invaluable for forensics after an incident.

Trusted Devices: Recognize devices you use and skip 2FA for trusted devices. Balance between security and convenience. New devices require 2FA verification.

Version Management: Rollback plugins and themes to previous versions directly from WordPress admin. Useful if an update breaks something or introduces a security issue.

Dashboard Widget: Customizable widget on your WordPress dashboard with real-time security status. See at a glance lockouts, scans, and alerts.

Cost-benefit analysis

For €99 per year, you get enterprise-level features that would typically require separate plugins. A dedicated 2FA plugin costs €30-50. Malware scanning services like MalCare start from €99. File monitoring plugins are €40+. iThemes bundles all this.

For professional sites generating revenue, €99 per year is negligible. A single day of downtime from a hack costs more. Pro features significantly reduce risk. ROI is positive from a site giving you income.

Hobby sites and personal blogs can manage fine with the free version. Combine it with good hosting security and regular updates and you're reasonably protected.

Pros and cons

Pros:

Beginner-friendly: iThemes uses clear language and simple toggle switches. Each setting has explanation. This makes security accessible for non-technical site owners. Wordfence in contrast bombards you with technical details.

Modular system: You can choose exactly which features you want without activating everything. This prevents feature bloat and reduces performance impact. Other plugins force you an all-or-nothing approach.

One-click fixes: The Security Check wizard offers quick fixes for common issues. No manual editing of wp-config.php or .htaccess. iThemes does it for you with clear confirmations.

Pro features valuable: 2FA, file monitoring, password management, and scanning in one package for €99 is well-priced. You don't need to stack multiple plugins for complete security coverage.

Active development: SolidWP (formerly iThemes) actively maintains the plugin with regular updates. Support is responsive. The community is active with good documentation and tutorials.

No cloud dependency for basics: Unlike Sucuri, iThemes runs entirely locally. You don't need to change DNS or trust external services. This gives control and privacy.

Database backups included: Free version already has database backups. This is unique for security plugins. Useful as extra safety, though not a complete backup solution.

Cons:

Free version limited: Crucial features like 2FA and malware scanning are Pro-only. Free users have incomplete protection. Competitors like All In One WP Security offer more free.

No real-time threat intelligence: iThemes lacks a threat feed like Wordfence has. It doesn't automatically block known malicious IPs. You depend on own lockout mechanisms.

Scanning basic: Pro scanning detects known malware but isn't as advanced as dedicated security services. No behavioral analysis or zero-day detection. Sucuri and MalCare scan deeper.

File change detection can be noisy: With frequent plugin updates, you get many warnings. You must manually accept legitimate changes. This becomes tedious for sites with many plugins.

No post-hack cleanup: iThemes detects compromises but doesn't help with cleanup. You must repair infected files yourself. Sucuri and MalCare offer cleanup services.

Per-site pricing: €99 per site per year is OK for one site but scales poorly. For ten sites, you pay €990. No multi-site discount or agency licensing. This makes iThemes expensive for agencies.

Change content directory risky: Renaming wp-content can cause compatibility issues with hardcoded paths in plugins or themes. Advanced feature but not without risk.

Who is iThemes Security suitable for?

iThemes Security is the ideal choice for WordPress users who want good security without technical complexity. If you're overwhelmed by Wordfence's dashboards full of technical logs, iThemes' beginner-friendly interface is a relief.

Small businesses with business websites without a dedicated tech person benefit excellently from iThemes Pro. The €99 per year gives you peace of mind that your site is protected without needing to become a security expert. The guided setup wizard helps you set up a secure configuration in 15 minutes.

WordPress beginners just launching their first site benefit from the free version. It provides solid basic protection while you learn WordPress. As your site grows and becomes more important, you upgrade to Pro for extra features.

Freelancers and consultants building client sites appreciate iThemes' ease of use. You can deliver clients a securely configured site without extensive security training. The UI is intuitive enough that clients can manage basic security tasks themselves.

Less suitable for

Security professionals and advanced users may find iThemes too simplistic. If you want to dive deep into firewall rules or write custom security policies, iThemes lacks granularity. Wordfence or dedicated WAFs offer more control.

Sites already hacked benefit little from iThemes. It may detect the infection via file change detection, but doesn't help with cleanup. For post-hack situations, you need Sucuri or MalCare with cleanup services.

High-traffic sites with millions of pageviews may find iThemes' brute force protection insufficient. The local IP ban mechanism doesn't scale perfectly for distributed attacks. Cloud-based firewalls like Sucuri or Cloudflare are more effective for DDoS scenarios.

Agencies with many client sites find per-site pricing expensive. For twenty client sites, you pay €1980 per year. Competitors like MalCare offer agency plans with volume discounts. iThemes has no multi-site licensing.

Alternatives to iThemes Security

iThemes Security positions itself as beginner-friendly middle ground between free basic plugins and expensive managed services. Alternatives offer more power (Wordfence), completely free (All In One WP Security), or managed cleanup (Sucuri).

Wordfence

Wordfence is more technical and powerful than iThemes. It has an endpoint firewall, real-time threat intelligence feed, and more extensive scanning. The free version is already very complete. Wordfence Premium costs €119, slightly more expensive than iThemes Pro.

The disadvantage: steep learning curve. Wordfence's interface shows lots of technical data. For security professionals this is great, for beginners overwhelming. iThemes is more user-friendly but less powerful.

Choose Wordfence if: You're technical, want the most powerful firewall, need real-time threat updates, or don't mind technical interfaces.

All In One WP Security

All In One WP Security is completely free without premium version. It offers similar features as iThemes free: brute force protection, firewall, user account security, database backups. A security meter visualizes your security level.

The interface is functional but dated. Performance is good because it's lightweight. It however lacks Pro features like 2FA (you need separate plugin for this) and scheduled scanning.

Choose All In One WP Security if: You want completely free security, are on a budget, or are looking for a simple no-frills solution without premium upsells.

Sucuri

Sucuri is a cloud-based security platform with firewall at DNS level. The big USP is post-hack cleanup services. If you get hacked, Sucuri cleans your site. Sucuri Platform costs €299 per year, more expensive than iThemes but includes managed cleanup.

It requires DNS changes which is technically more complex. But you get DDoS protection and CDN included. Sucuri is for sites wanting professional managed security.

Choose Sucuri if: You want post-hack cleanup, need DDoS protection, prefer a cloud-based solution, or are non-technical and want fully managed security.

Frequently asked questions

What's the difference between iThemes Security and Solid Security?

It's the same plugin. iThemes Security was rebranded to Solid Security after acquisition by SolidWP. You can use both names in the WordPress plugin repository. Functionality is identical. Existing users don't need to do anything – the plugin continues to work.

Does iThemes Security cost per site or can I use it on multiple sites?

iThemes Security Pro licenses are per site. For one site you pay €99 per year. For five sites you need five licenses (5 × €99 = €495). There's no multi-site discount. For agencies with many client sites, this quickly becomes expensive compared to competitors offering unlimited site licensing.

Does iThemes Security work together with other security plugins?

You can combine iThemes with backup plugins like UpdraftPlus without problems. However, never run two firewall or brute force plugins simultaneously. iThemes and for example Wordfence can conflict. Choose one security suite and possibly combine it with a dedicated backup or CDN service.

How do I activate two-factor authentication in iThemes Security?

2FA is only available in the Pro version. After upgrade, go to your WordPress profile and find the iThemes Security section. Click "Configure Two-Factor" and scan the QR code with Google Authenticator, Authy, or another TOTP authenticator app. Store recovery codes safely. From now on, login requires your password plus the 6-digit code from your app.

Can iThemes Security clean my hacked site?

No, iThemes may detect malware via file change detection or site scanning, but doesn't automatically clean your site. You must remove infected files yourself or hire a security expert. For post-hack cleanup, you need services like Sucuri or MalCare that do offer this. iThemes is proactive protection, not reactive cleanup.