iThemes Security Pro Review

As a WordPress enthusiast who doesn’t know how to code and develop WordPress specific functions and plugins, security is not something always in my mind.

The questions that usually comes creeping up to me whenever I hear security for WordPress is “Why would anyone want to hack my WordPress website?”. “Don’t hackers have more prominent WordPress websites to hack?”. “What good would it bring to hackers by hacking my WordPress website?”.

After all, my WordPress website is nothing but a blog where I write about my WordPress journey during my free time and try to make some extra cash out of it.

However, I do have a security plugin installed into this WordPress blog. It’s called Sucuri and it’s the free version. I installed it just to remove that little paranoia in me.

Once in a while when the paranoia strikes, I quickly access the Last Logins section of the Sucuri plugin which shows all the successful logins based on the time. I usually log into this WordPress blog about once a day. So, if there are more than that, there’s some hacking going on, right?

Thankfully, there isn’t any suspicious login that I have encountered.

Other than that, Sucuri also has this Audit Logs thing where it records all the activities that have been carried out in the blog on a daily basis. For example, if there is a blog post deleted, then Sucuri will record the details of the blog post such as the post ID, the user who deleted it, the time it was deleted and etc. I also check these logs to clear the paranoia in me.

Besides the above two features of Sucuri, I really have no idea how Sucuri as a security plugin works. They have this WordPress integrity thing, site scanning and so on which I couldn’t be bothered.

Anyways, I’m not writing this post for the purpose of Sucuri. I’m writing for another security plugin which I have stumbled upon while reviewing a WooCommerce hosting provider not long ago. Fortunately for me, that WooCommerce hosting provider gave me access to the security plugin, which is called iThemes Security.

Similar to Sucuri, there is a free version and pro version of it. I had the pro version, iThemes Security Pro. I’m seizing the moment with this review of it.

iThemes Security Pro review

On a sea level comparison between Sucuri (free version) and iThemes Security (free version), they are both different security plugins. Sucuri is more focused on malware scanning, DDoS protection & monitoring and etc whereas iThemes Security is more focused on tightening up security.

For instance, there is Away Mode. This allows you to disable the access to the WordPress dashboard during certain periods of time. For example, when you are about to sleep, you can disable the access until the following day till you wake up in the morning. This limits the exposure to hackers and at the same time allows you to have a good night sleep.

Other than that, the free version also allows you to protect your WordPress website or blog from brute force attacks. For example, you can set the max login attempts, you can ban the user from the login screen if he or she uses the “admin” username and much more stuff related to this.

There’s a setting which allows you to force the users in your WordPress website or blog to use a strong password. There’s a setting which allows you to blacklist certain IP addresses from accessing your WordPress website or blog. And many more.

No wonder the free iThemes Security plugin has received more than 3,000 five star ratings in the WordPress plugin repo.

They deserve every single rating.

Going beyond the free version is the pro version of the plugin or also known as the iThemes Security Pro. The apple of my eye at this very moment.

The price to pay is $52 to protect a single WordPress website or a blog. If you have more WordPress websites or blogs to protect, you will need to get the Freelancer version or the Gold version.

iThemes Security Pro gives you access to more of that good security stuff.

There are 11 additional security settings added with the pro version. The free version has 16 security settings. In total, there are 27.

Anyone will be able to tell that 27 security measures is a hell lot of security measures. Only a crazy hacker will attempt to crack a WordPress website or a blog with such security lockdown.

The one that got my attention the most out of the 11 additional security settings is Magic Links. This Magic Links allows you to log into your WordPress website or blog even though you are locked out from it because of the brute force attack performed by the hackers. But of course, the brute force attack settings have to be enabled first for this to work.

This Magic Links setting is like Moses parting the Red Sea. The Red Sea is like the hackers who are trying to get in your way and the Magic Links is the Staff which makes way for you no matter what. And iThemes Security is the God that makes it all happen.

Other security settings that got me interested is the Two-Factor Authentication. This security setting is actually something that can be obtained for free in WordPress. I even wrote a tutorial on how to set up Two-Factor Authentication in WordPress for free. However, what’s unique about the one with iThemes Security Pro is that this setting is not limited for the Administrator only like the way the free plugin in the tutorial does it, it enables for all user roles including for the Subscriber and Contributor. In other words, every user in your WordPress website or blog that have signed up for an account will be able to set up two-factor authentication to secure their respective account. This is a useful security setting if your WordPress website or blog allows users to sign up for an account and store important information for whatever reasons. But of course, it also allows you to disable the setting on certain user roles.

It will also come in handy if you have a WooCommerce store and your customers store their credit card details in their account. This layer of security setting will fo sho help them protect their account.

Other than that, there’s also the Audit Logs feature which I mentioned earlier with Sucuri. However, Sucuri gives it for free whereas with iThemes Security it comes with their pro version only. Can this be a downside? Hmm…I don’t think so. As I mentioned, they are generally two different plugins.

And then there is the Privilege Escalation setting. This setting is suitable if you hire a freelance WordPress developer and want him or her to fix something in your WordPress website or blog. You can grant the person temporary role access and you can also set how long that person will have access to the temporary role.

The last security setting which I would like to elaborate is the reCAPTCHA setting. It allows you to add the reCAPTCHA feature to your comments section to protect it from spam and abuse.


This is the second security plugin which I have stumbled upon in my life and I am very impressed with its capabilities.

I like most of its security settings that I had mentioned above.

There are other settings too which I did not mention on purpose mainly because I did not find it interesting enough; such as the Malware Scan Scheduling which actually makes use of Sucuri’s system to perform automated malware scans. I’m guessing iThemes Security is not good in that particular department and they decided to hand over the entire responsibility to Sucuri. Way to go iThemes, way to go.

In my opinion, iThemes Security Pro is useful. Even the free version is useful.

But having the pro version and having all the settings enabled is godlike security in work. Even the fine folks from Ocean’s Eleven will not be able to work their way in.