iThemes Security Pro – Comprehensive Protection for Your WordPress Website

Summary (details below):

Product name:iThemes Security Pro
What it does:Comprehensive protection for your website against hackers: locks down system files, brute force protection, daily malware scans, monitors file changes, away mode, hides login URL, 2 factor authentication, password expiry and more (see below)
Where to buy:iThemes
Price:From US$80, but there are multiple options


Please assume any links on this page are affiliate links. An affiliate link means I will get a small commission if you decide to buy the product, but it will not affect the price you pay. The price you pay is the same, whether you buy it through my link or go directly to the site.

One of the first and best things you should do upon setting up a new WordPress-based website is to immediately strengthen the defence of your site against hackers by installing a professional security plugin.

Why is this important?

WordPress now powers more than 30% of websites online, which makes it a natural target for hackers – in the same way that Microsoft computers and Internet Explorer were.

The WordPress security team is good, and respond quickly to new threats, but you need the additional protection of a strong, all-encompassing security plugin.

And there are a number of good ones available:

  1. Wordfence
  2. iThemes Security
  3. Sucuri security
  4. Bullet proof security
  5. Acunetix WP security scan
  6. All in one WP security and firewall
  7. 65Scan security
  8. Defender

Which of those are the best?

Of those, the best 3 are, in my view:

  • iThemes Security Pro
  • WordFence
  • Sucuri Security

All 3 have free versions with optional upgrades to Pro (or premium), and in all cases the upgrade is definitely worth it.

However, a wise move would be to install the free version first and test each of them in turn to find the one you prefer to work with before upgrading.

My favourite, though, is iThemes Security Pro.

Why iThemes Security Pro?

I used to use Wordfence, and did so very happily for some time. But I eventually moved across to iThemes because I also use their backup plugin: BackupBuddy.

And since a proper backup routine is an essential part of a security strategy I wanted 2 plugins that would work seamlessly together.

These two do it.

A second factor was the user-interface: working my way through the plugin’s settings is a lot more intuitive with iThemes than it was with Wordfence. Plus, iThemes has published a web page (I’ve linked to it below) that takes you through all the settings, explaining each and recommending the one you should use.

This makes it much easier to set up what is a reasonably complicated plugin.

A third factor is that the iThemes security team work very closely with Sucuri, and the plugin integrates scheduled scans by the Sucuri malware scanner. Given the expertise and experience of Sucuri in the area of security management generally and WordPress security management in particular, this was a strong factor for me.

iThemes Security options and settings

Because this plugin is so extensive there is a blizzard of settings you can tinker with.

Ithemes Security Settings PageHowever, If you’re not into tinkering you can leave the settings at default and your site will still be well protected. That said, it’s always worth it (in my view) to explore a plugin like this when you install it just to learn what to expect, if nothing else.

Of course, there’s no need to enable all of the settings – for example, I don’t enable the reCAPTCHA setting because I have Two Factor Authentication set up, or the SSL setting because all my sites are built by default with SSL certificates. There are others I leave disabled as well.

So you can choose to ignore options for which you don’t see a need, or for which you have an alternative in place, and you should ignore any options that could potentially clash with plugins you’re using.

Where an option may conflict with other functions on your site this is made clear in the settings panel, so that’s easy to avoid.

The ones I would definitely recommend you enable, though, are these:

  • Global settings
  • 404 detection
  • Banned users
  • Local brute force protection
  • File permissions
  • Network brute force protection
  • SSL, but only if your site is not already operating on SSL (HTTPS)
  • System tweaks
  • WordPress tweaks
  • Malware scan scheduling
  • Password requirements
  • Two factor authentication
  • User logging (but only if you have other users beside yourself)
  • iThemes security logs

Full details with links to each section are set out on this page.


The support from iThemes is business hours Monday to Friday, and by ticket/email only – i.e. no chat or telephone support. I don’t mind the ticket/email format, but the Monday to Friday schedule is a bit disappointing because if anything goes wrong at the beginning of the weekend you have a couple of days to wait before you can get help.

Support desk representativeThat said, the support is extremely helpful and effective. I have always had problems resolved quickly, efficiently and thoroughly.

When a more complicated problem arises, the iThemes support person who responds to your query will see it through to completion, without escalating the problem to a ‘Senior engineer’, or a second level support group, where you have to go through the entire problem from the beginning again.

They have even installed other plugins on their machines and tested conflicts with them on the odd occasion I have found a clash between another plugin and Security Pro. When they’ve found the problem, they’ve given me snippets of code to add to my installation to resolve it prior to releasing an updated version of the plugin.

This has only happened once or twice in all the years I’ve been using iThemes products – and they were with big, complex plugins like Woo Commerce and WPML.

But I was very impressed with that.

Visit the iThemes website to get more details:

What steps next?

I recommend you try the free version of iThemes security to see how it works. It will provide you with a good level of protection for your site.

Look at things like the user interface and, on the settings screen, the areas of protection that it offers. In particular, on the settings page, you will see the additional modules you get with the pro version – they are definitely worth it!

When you’re comfortable with using it day-to-day then upgrade to the Pro version.

Why iThemes Security Pro?

As I said earlier, the reasons I chose iThemes Security Pro are:

  • I found the user interface to be the most intuitive
  • iThemes provides (and maintains) recommended settings (along with descriptions) both online and as a downloadable PDF
  • It works closely with, and incorporates scheduled malware scans from Sucuri
  • It works closely and well with iThemes’ BackupBuddy – and a strong backup routine is an essential part of a security strategy

To get the details on iThemes Security Pro please visit their website:

Do you use a security plugin on your website? If so, which one? If you have any questions or thoughts please leave a comment below and I’ll get back to you 🙂


Martin Malden

Martin Malden
Owner – WP Security Basics