iThemes Security PRO Review: Is It the Best Security Plugin? – RealBSG

Looking for a detailed iThemes Security PRO review, then you’ve come to the right place.

You haven’t built your website, business, and reputation overnight. Building a website takes years and years but getting hacked only takes a few minutes This is the reason that you must take your website’s security seriously.

You should choose a hosting provider that comes with built-in security features. You should also install a WAF (Web Application Firewall) and DDoS mitigation to protect your website. In addition, you need to install and activate the best WordPress security plugin like iThemes Security Pro.

The WordPress security plugins offer you helpful features such as brute force protection, 2-factor authentication, malware scan, file change detection, and much more.

Our iThemes Security Pro review covers the features that you can enable with the plugin, plans pricing, ease of use, comparison of popular WordPress security plugins, and pros and cons.

iThemes Security PRO Review: Is It the Best Security Plugin?
iThemes Security PRO Review: Is It the Best Security Plugin?

iThemes Security PRO Review

iThemes Security PRO is the popular and better WordPress security plugin installed on more than 1 million websites. The plugin is developed by WordPress and internet security experts since 2014 to protect WordPress websites against known attacks.

iThemes Security PRO plugin comes with 30 features that help you harden your WordPress website against hackers and automated bot attacks. This ensures that only you and other authorized users can get into your WordPress website.

You can choose from FREE and PRO versions. The FREE version enables you basic features yet important ones like Brute Force Protection, File Change Detection, 404 Detection, Password Requirements, Database Detection, and much more. The PRO version ($80/year) offers advanced features such as Majic Links, Passwordless Logins, reCAPTCHA, 2-Factor Authentication, Version Management, and much more.

25 Features That Make iThemes Security PRO Standout

Once you’ve installed and activated the iThemes Security PRO plugin, a new menu called Security will be added to the left sidebar in the WordPress admin dashboard.

Navigating to the Admin Dashboard >> Security >> Settings allows you to configure the plugin’s settings.

Let’s take a look at the features that you gain access to with the iThemes Security PRO plugin.

#1. Two-Factor Authentication (PRO)

Two-Factor Authentication is an essential security measure as it requires additional unique code beyond username and password to log in to your website. This means if your username and password are guessed or hacked, hackers still need to enter the code at the second factor.

iThemes Security PRO allows you to enable Two-Factor Authentication for all users or a specific user group. The plugin supports multiple 2-factor methods such as email, mobile authenticator apps (Google Authenticator, Authy, FreeOTP, and Toopher), and backup codes.

iThemes Security PRO Review: Is It the Best Security Plugin?

#2. Passwordless Login (PRO)

The amazing way to log into your WordPress website without ever entering a password or two-factor authentication code is called Passwordless Login.

Once you’ve enabled the Passwordless Logins feature, then you can get into your WordPress website using a secure link sent to your email.

In the simplest sense, when you log in to your WordPress website, you can either instantly sign in with a magic link that will send to your email inbox or enter your username and password. Click on the Email Magic Link button, so you’ll receive an email containing a secure magic (login) link.

Here’s what looks like when you want to log in with the Passwordless Logins method.

iThemes Security PRO Review: Is It the Best Security Plugin?

#3. Privilege Escalation (PRO)

Privilege Escalation comes in handy when you grant access to a freelancer, developer, or tech support agent.

This enables administrators an easy and secure way to grant access to outside developers and users for a specific time.

After 24 hours is up, the developer or user will lose the granted access automatically. So you don’t have to remove the user manually because privilege escalation only lasts for 24 hours.

#4. Trusted Devices in Beta (PRO)

The Trusted Devices feature identifies the devices that you and other authorized users use to log into your WordPress website. Once your devices are recognized, iThemes Security Pro will keep safe your website against session hijackers and hackers.

To put it simply, when a user has logged in to your WordPress website using an unidentified device, the plugin will restrict the administrative-level capabilities.

They’ll also send you an email that informs you someone has logged in to your website using an unrecognized device. And the email also includes the options to either block or approve the device.

#5. Ban Users (FREE)

iThemes Security PRO plugin automatically bans hosts and user agents when they meet the Ban Threshold requirements. And you can adjust the Ban Threshold Requirements in Global Settings.

Additionally, you can manually ban IP addresses by entering in the Ban User section, so they cannot access your website. If an IP is added to the banned users’ list by mistake, you can remove it.

#6. Local Brute Force Protection (FREE)

Brute Force is a common method that attackers use to guess your username and password to break into your website.

IThemes Security Local Brute Force Protection feature keeps track of failed login attempts and locks out an IP or user that has too many invalid login attempts in a set interval.

In your Local Brute Force section, you can adjust from Max Login Attempts Per Host to Max Login Attempts Per User to Minutes to Remember Bad Login.

#7. Network Brute Force Protection (FREE)

The Network is the community of 1 million+ websites of iThemes Security. Once an IP is recognized as attempting to break into the WordPress website and having too many failed login attempts in the iThemes Security community, it will be added to the banned IPs list of Bruce Force Network.

Joining the Network Brute Force Protection means that all banned IPs by the iThemes Security community will be no longer can access your website. And your report (banning an IP) helps to get the IP banned on the network and protect other WordPress websites.


reCAPTCHA is an excellent solution to protect your website against spam and fraud caused by bots and automated systems. It does this while letting your valid users view content, make purchases, create accounts, and log into their accounts.

iThemes Security PRO allows you to choose from multiple types such as reCAPTCHA v3, reCAPTCHA v2, and invisible reCAPTCHA. You can use the reCAPTCHA on login, new user registration, reset the password, and comments.

#9. Magic Links (PRO)

The Magic Links feature comes in handy when your username is locked out due to failed login attempts. It will send you an email that contains Magic Link to successfully log in to your WordPress website.

When your username is locked out, they’ll display a message on the WordPress login page.

iThemes Security PRO Review: Is It the Best Security Plugin?

Just click on the send authorized login link and they will send you an email that includes your Magic Link. But keep in mind that you still need to enter your username and password to successfully get into your website. You’ll also need to enter the code at the second factor however if you’ve enabled two-factor authentication.

#10. File Change Detection (FREE)

The File Change Detection feature is an essential measure that assists you to detect and stop a security breach. This will scan your website’s files and alert you when a file is changed.

When a WordPress core, plugin, or theme file has been changed, the feature will compare it with the version of or iThemes to find out if the changes were malicious.

#11. Site Scan Scheduling (FREE)

Site Scanner enables you a secure way to protect your WordPress website from known vulnerabilities such as WordPress, plugin, and theme vulnerabilities.

Site Scanner utilizes the Google Safe Browsing API to check your Google’s blocklist status and will let you know if Google has found any malware on your WordPress website.

Once Site Scan Scheduling is enabled, your website will be automatically scanned twice a day. If an issue is detected, you’ll receive an alert email.

#12. User Activity Logging (PRO)

The User Activity Logging feature automatically keeps track of and records specific user actions such as logging in, logging out, user creation and registration, adding and removing plugins, switching themes, and changes to posts and pages.

Once the User Logging is enabled, you can then see all the recorded data in the Logs tab of the Security menu.

#13. Version Management (PRO)

There’re 3,972 known WordPress vulnerabilities out of which 52% are from plugins, 37% are from WordPress core files, and 11% are from themes.

Keeping outdated WordPress core, plugins, and themes vulnerable your website to attack. And software with know vulnerabilities helps hackers to break into your website. This is the reason that you need to update them.

The Version Management feature allows you to automatically update WordPress core, plugins, and themes. This helps you keep your site safe from vulnerabilities created by softwares.

iThemes Security PRO Review: Is It the Best Security Plugin?

#14. Database Backups (FREE)

If something happens wrong or your website’s files get corrupted, you can back it to the previous version by restoring a database backup. They will replace your corrupted files with fresh ones.

You can schedule automatic database backups as well as you can manually create them. You can either save database backups locally to your website root folder or receive them over your email.

Read More: How To Backup Your WordPress Website?

#15. Geolocation (PRO)

iThemes Security PRO plugin utilizes geolocation to improve the identification accuracy of trusted devices. You can either use the MaxMind database or the MaxMind GeoIP2 Precision: City (for the highest level of accuracy).

In addition, they use static image maps to show you the approximate location of an unknown login. The security plugin recommends utilizing either Mapbox or MapQuest APIs and their free plan is enough to get started.

#16. User Groups (PRO)

The User Groups feature lets you see all user groups, which setting is enabled for each user group, and make modifications to settings. This assists you to apply the right level of security to the right user group.

#17. Notification Center (FREE)

In the Notification Center, you can configure and adjust the notification settings related to various security modules. You can set here the default recipients for any admin-facing notifications.

You can enable to receive email notifications of each security module but the default setting Is pretty good.

#18. System Tweaks (PRO)

System Tweaks are advanced settings that block common forms of attacks but also block legitimate plugins and themes that also use similar techniques.

These settings allow preventing public access to important files like readme.html, readme.txt, wp-config.php, install.php, wp-includes, and .htaccess. Moreover, you can disable PHP in uploads, plugins, and themes.

You should enable them carefully by checking that every setting works perfectly as expected.

#19. WordPress Tweaks (PRO)

WordPress Tweaks module comes with multiple important options.

You can disable the File Editor for plugins and themes, so you’ll need to manually upload and edit files using FTP or other tools.

The second important option, you can enable XML-RPC, and disable XML-RPC & Pingbacks.

#20. Hide Backend (FREE)

The Hide Backend feature enables you to change your login slug (part of the URL) so that no one can guess your website login URL. This makes it harder to find your login slug by automated attacks.

You can also redirect the users who attempt to access the wp-admin login page while not logged in.

#21. Change Database Table Prefix (PRO)

Keep in mind to create a website backup before using this setting. And changing the database table prefix needs more system memory than what most web hosts offer.

WordPress uses the prefix WP for all tables in the database. This means for potential hackers, it’s easier to write scripts that can target the WordPress databases. But changing the prefix WP makes it more difficult for hackers to get into your site.

#22. Check File Permissions (FREE)

The Check File Permissions feature monitors the permissions of important files and folders on your website. This shows you the status of files and folders based on the color next to them.

A green status (OK) indicates the file is sufficiently secure, a rose fusion status (WARNING) means that you should change it to more secure permission,

Check File Permission RealBSG

#23. Change WordPress Salts (PRO)

WordPress Salts (along with Security Keys) are a cryptographic tool that aids you to secure your WordPress website’s logins. They secure your login information in cookies.

Think of them as kind of extra passwords for your WordPress website login, so that no one can guess them to break into your site.

Once this feature is enabled, it will force all users to log in again and start from where they stopped.

#24. Security Check (PRO)

The Security Check PRO will identify the remote IP entry to protect your site against IP spoofing. IP spoofing is a type of malicious attack where hackers hide the true source of IP packets to make it more difficult where they came from.

In addition to having IP spoofing protection, they redirect all HTTP page requests to HTTPS which is a more secure version and protects your login information from being public.

Read More: What Is An SSL Certificate? & What are the Different Types Of SSL Certificates?

#25. Export and Import (PRO)

The Export and Import feature saves you time from separately configuring the iThemes Security plugin on each site.

This feature allows you to export iThemes Security PRO settings from one site and then import them into a new installation of the plugin on another WordPress website.

iThemes Security PRO Plans Pricing

iThemes Security plugin comes with FREE and PRO versions. I recommend you PRO version as it offers you advanced security features while the FREE version enables you the basic security features.

iThemes Security PRO comes with three different pricing tiers such as Basic, Plus, and Agency. I signed up for the Plus plan to secure my WordPress websites.

The only difference among them is the number of WordPress websites that you want to install the plugin on. The rest of the features are the same you get with each plan.

  • Basic Plan: Starts at $80 per year and enables you to secure only 1 WordPress website. The plan includes all PRO features, ticketed email support, and plugin updates.
  • Plus Plan: Charges you $127 a year and allows you to secure a maximum of 10 WordPress websites. You get all the PRO features, ticketed email support, and plugin updates.
  • Agency Plan: Costs you $199 per year and allows you to secure unlimited WordPress websites. This incorporates all PRO features, ticket customer support, and plugin updates.

Each iThemes Security PRO plan is backed by a 30-day money-back guarantee.

Why You Should Use iThemes Security PRO Plugin? (4 MAJOR REASONS)

In a data list compiled by iThemes security, nearly 50% of all cyberattacks prey on small to medium-sized businesses because hackers know they don’t have installed solid security software. And cyberattacks have increased by 300% (only this year alone) as hackers increase their efforts to exploit vulnerable websites.

Thus, you need solid security software like iThemes Security PRO to protect your WordPress website against hackers, malware, and other attacks.

Here are the major reasons to install iThemes Security PRO on your WordPress website.

#1. Better WordPress Security Plugin

iThemes Security PRO is known as the better WordPress security plugin. Because it offers all the essential plus advanced features to secure your WordPress website.

The better WordPress security plugin uses 30 ways to keep safe and secure your WordPress website. It is just amazing that you get 30 SECURITY FEATURES in one WordPress plugin.

#2. Helpful Ticketed Email Support

With any iThemes Security PRO plan, you get access to the fast and friendliest customer support team. Their WordPress security experts typically respond to your ticket within one hour during business days.

The support hours are 8 am-5 pm CST (1 pm – 11 pm GMT) from Monday through Friday. Although Help Center is available 24 hours a day and 7 days a week to answer your questions.

They have solved 27,524 tickets since the plugin is created. Quite Impressive.

One thing I noticed, they provide help center guides, useful blogs, and problem-solving videos for most of the features. And you can access them in your WordPress dashboard by clicking Help in the upper right corner with each security module of iThemes Security.

My Experience: I created a ticket in the iThemes Member Panel on 29 August 2022 at 06:51 PM. And I got the helpful response on 29 August 2022 at 06:59 PM.

The expert was knowledgeable and answered my question in detail.

iThemes Security PRO Review: Is It the Best Security Plugin?

#3. 30-Day Money-back Guarantee

Each product doesn’t work well for everyone, thus, iThemes Security PRO gets you a 30-day money-back guarantee.

Keep in mind that you can get a refund when you are within the first 30-day of purchase or a yearly auto-renewal. You can also cancel your subscription before the renewal payment is automatically processed as iThemes will send you an email 1-week before the renewal date.

#4. Ease of Use

iThemes Security has an initiative and well-structured dashboard called iThemes Member Panel. You can easily navigate among different options and understand them.

From the iThemes Member Panel, you have to download the zip file of the iThemes Security PRO plugin, and then upload it from the WordPress admin dashboard.

iThemes Security PRO plugin has a user-friendly and easy-to-configure interface. You can easily set up each module as it provides details to secure your WordPress website.

iThemes Security PRO VS Other WordPress Security Plugins

Here’s the comparison table of iThemes Security PRO and other popular WordPress security plugins.

Free Version✔️✔️✔️
Starting Price$80/Year$99/Year $9.99/month
2-Factor Authentication✔️✔️X
Brute Force Protection✔️✔️✔️
Ban Users✔️✔️X
Malware Scan✔️✔️✔️
File Change Detection✔️✔️✔️
Version Management✔️XX
Change Salts & Keys✔️XX
DDoS ProtectionXX✔️
System Security Tweaks✔️✔️X
Vulnerability Scanner✔️✔️X
User Activity Logging✔️✔️X

Although iThemes Security PRO doesn’t offer you a WAF (Web Application Firewall), and DDoS Protection, it offers 30 security features for the lower price in the market. So it’s worth your money to protect your WordPress website again attacks.

Pros And Cons

Here is a summary of the advantages and disadvantages of iThemes Security PRO.


👍 FREE and PRO Versions
👍 30 Ways to Secure Your Site
👍 Works With Network & Multisite Installations
👍 User-Friendly Interface
👍 Lower Price in The Market
👍 Fast, Private, & Ticket Support
👍 30-Day Money-Back Guarantee


👎 No WAP
👎 No DDoS Protection
👎 The Plugin Doesn’t Work with Some Web Hosts.


iThemes Security PRO is the better WordPress security plugin installed on more than 1 million WordPress websites. This comes with 30 ways to protect your WordPress website against hackers and automated attacks.

The security plugin has an easy-to-use and easy-to-configure interface that even non-tech savvies and beginners can easily set up and configure.

Their WP security experts help you to solve your problems and answer your questions in a way that you understand. Mostly, they respond to your tickets and provide solutions to your problems within one hour.

I use the iThemes Security PRO Plus plan for one of my WordPress websites.

iThemes Security PRO also offers you a 30-day money-back guarantee, so it’s completely risk-free.

So I hope you’ve found our iThemes Security PRO review useful.