Securing Your WordPress Site: iThemes Free Security Plugin Review
No doubt you spend a lot of time and money on your website. You’re happy with the end result, and rightfully so; it’s easy to see why most people opt for extra security measures to protect what they have worked hard to create.
Finding a reliable security plugin sounds easy in practice, yet it can be a difficult task. After all, you’re leaving your peace of mind and security in someone else’s hands so it’s important you take the time to test what’s available and ensure it suits your site and skill level.
iThemes Security (formerly Better WP Security) is one of the top ranked WordPress security plugins. There are many faithful supporters, but how well does it really work to protect your site, and your users?
I’ve compiled this review to help you find out, and to help you decide whether or not iThemes Security is right for you.
iThemes Security Review
The Better WP Security plugin was relaunched as iThemes Security on March 25, 2014, when it was bought out by iThemes Media LLC.
Chris Wiegman, the plugin’s original developer, worked closely with iThemes’ staff and CEO Cory Miller during the changeover. At the time, Miller said he was a fan of Better WP Security and used it to lock down his own personal website.
Cory began his career as a newspaper journalist. In 2008, he decided to work full-time on his own business and the result was iThemes Media, dubbed one of the fastest growing companies in Oklahoma City in 2011 by Metro 50.
Miller is the author of three non-fiction titles, as well as a co-author of WordPress All-in One for Dummies. He also co-founded The Div, a community hub dedicated to innovation, creativity and training in Oklahoma.
iThemes Media currently has a growing staff of 19 people, including developers, tech support, and a professor. As the iTheme site exclaims, they “love creating tools that help you make awesome websites.”
60,000 Users Affected in Recent Security Scare
On September 23, 2014 it was discovered one of iThemes’ servers had been hacked. Cory was quick to announce the security breach and was notably honest in revealing what had happened.
In his initial announcement, he urged users to reset their passwords as they were visible via clear-text, along with other information such as full names, usernames, email, and IP addresses. Luckily, no payment information was accessed, as iThemes uses a third party payment system.
The information of about 60,000 users was breached and, according to the second announcement, it could very well have been prevented. Cory admitted that the membership software the company had been using since 2009 had stored passwords in clear text and while the company had been aware of the security issues, they had failed to fix it in a timely manner.
The issue lies in the way user information was stored: Unencrypted, and thus unprotected. When the server was breached, the hacker had access to user information, which was as clear to read. Saving information online, unencrypted, is a fundamental principle in online security.
What’s more, iThemes did not immediately rectify this issue by ceasing to store user information in clear text. They did, however, reset the passwords of all users who had been affected. It is unclear whether the hacker had saved any of this information, but he/she definitely had access to it.
Bottom line: One of iThemes Media’s servers was hacked and user information was accessed, despite the company knowing about the security flaw for five years. After becoming aware of the security breach, they did not immediately remedy the underlying problem, although they were very clear, and forthcoming about the situation.
For a company selling a security plugin – not to mention the free version I’m reviewing here – the recent breach is enough to make anyone cautious about using their products. Since his second update, Cory hasn’t yet provided any new information publicly on how iThemes have resolved the situation, despite saying he would give another update “in the coming days.”
So now all that information is out of the way, let’s move forward with this review of the free version of iThemes Security.
How Much Does it Cost?
Out-of-the-box, this sucker is complete and free. You get all the security features you need and you don’t have to pay a cent. That in itself is noteworthy.
It’s rare to come across a plugin that includes features you would otherwise find in a premium plugin. Many free versions of premium plugins are missing key features, rendering them pretty useless. This is not that kind of plugin.
If you would like to purchase a licence for iThemes Security Pro the prices are as follows:
- Two licences – $80 per year
- Ten licences – $100 per year
- Unlimited licences – $150 per year
- Unlimited licences, plus access to iThemes’ 20 plugins (and growing) – $247 per year
If you would like to also buy their BackupBuddy plugin, which fully integrates with iThemes Security, you can buy an additional subscription. The BackupBuddy plugin backs up all your files, including your database. The backups are downloaded directly to your own storage device for safe keeping. It also covers you in the event of site migration, providing seamless backups.
If you are happy with simply backing up your database, then the free version of iThemes Security has you covered. For a free plugin, there’s a host of features and options available.
What Do You Get?
The free version of iThemes Security provides you access to a raft of features (listed below). If you opt to buy iThemes Security Pro, one licence can be used for one individual site. The premium offering includes a bunch of extra features, along with automatic updates and ticketed support for the duration of the license.
The free plugin includes many great, and necessary features, such as malware scanning and protection against common back end exploits, brute force attacks, and comment spam, to name a few. IP banning (or white listing) is included, and banning by country is planned for a future update.
Here is a full list of features:
- Brute force attack protection
- Strong password enforcement
- Hide login and admin pages
- Security reports
- File change detection
- Lock out users with too many failed log in attempts or 404 errors
- Detects file changes
- Make the admin inaccessible for an amount of time you set (if you go on vacation)
- Hide your WordPress, and jQuery versions, and other header meta data
- Remove update notifications to your users
- Change WordPress database table prefix from the default “wp_”
- Change wp-content folder path (where many sensitive files are stored)
- Ability to display a random WordPress version number to non-admin users
- Force SSL (Secure Socket Layer) on admin, or front end pages
- Detects attacks to your database, files, and attacks by bots
- Emailed database backup on a customizable schedule
- Disable PHP execution in uploads
- Disable user’s author page if post count is zero
- Force users to create a unique nickname when updating profile, or registering
- Comment spam blocking (limited)
- Two-factor authentication for log ins
Sounds awfully good to me, but how does it fair in the real world of constant attacks?
How Does it Work?
When you initially install the plugin, a notification prompts you to get a free API key and to “secure your site now” by selecting some basic options.
You have the options of backing up your database (which you should definitely do), allow iThemes Security to have writeable access to some of your files, set up basic options with one click, and send anonymous plugin usage data.
Once complete, you’re free to exit out of the light box and enter in more settings, or navigate away from the plugin and move onto something else. Once the page refreshes, you’re prompted with a warning if you do not have SSL (Secure Socket Layer) enabled on your server: “WARNING: Your server does appear to support SSL. Using these features without SSL support on your server or host will cause some or all of your site to become unavailable.”
Right off the bat, this is one of the settings that is non-negotiable, or else you will likely break your site. If you do not have SSL enabled, this plugin will cause you nothing but trouble.
When you think about it, it’s not a good idea to leave your site unprotected by not enabling SSL, anyway. Really, this is perhaps only a minor inconvenience for most people.
Beyond that, there are also some advanced options with clear warnings. You are prompted to make a backup of your database before changing any settings. The warnings are pretty hard to miss.
1.6 million WordPress Superheroes read and trust our blog. Join them and get daily posts delivered to your inbox - free!
Still, it’s not difficult to think you’re doing the right thing… and then find your site has become unavailable. If you don’t back up all your files, your site may be lost. Unfortunately, you aren’t told to backup everything – just your database.
1.6 million WordPress Superheroes read and trust our blog. Join them and get daily posts delivered to your inbox - free!
In the right hands, these advanced settings could be powerful, but as the adage goes: “With great power comes great responsibility.” Yes, I just quoted Spider-Man (2002).
Most of the time, you’ll enjoy peace of mind knowing you’re fully protected from all the hackers out there, unless you’re one of the unlucky ones. Security breaches have been known to happen, although fairly sparingly. With over 3,000 five star reviews in the WordPress Plugin Repository, I think it’s safe to say most people enjoy nothing but peace of mind with this plugin.
As with any security precautions, iThemes stress that diligence and good security practises on the user’s part are important to ensure security of a website. As such, the plugin will not protect you from all attacks. I think that’s a fair statement.
As long as you are careful about what you choose in the settings, your site is safe.
Learning Curve / Ease of Use
The iThemes Security plugin is incredibly easy to set up, despite my warnings in the previous section. The only trouble you may come across is going beyond the basic settings. It’s fairly easy to tweak the settings incorrectly and completely throw your site offline. However, you are reminded quite a few times to backup your database.
One criticism, which I’ve already mentioned, is that users aren’t reminded to backup everything, just their database. Having said this, it seems to be common practice.
The plugin does guide you with clear, concise explanations for each option and documentation is available to help you understand the settings more thoroughly. Most users will not even need to thumb through this, however.
Overall, it’s pretty easy to use. You just need to pay careful attention to the advanced settings; if not used correctly, they could (figuratively) explode your site.
Many essential features are included in this plugin, but I can’t help but feel the feature list is still short. For example, you are only offered partial comment spam filtering in both the basic and premium versions of the plugin.
It’s also worth pointing out that in the event you are hacked, iThemes offers no assistance. The expectation is on you to have full backups of your site – such as with their premium BackupBuddy plugin – or otherwise use a third party service to recover your site.
This being the case, this plugin is useful for preventative measures only and should not be relied on for full protection.
Most people have success with this plugin, despite the limitations. The positive reviews in the WordPress Plugins Repository can attest to this. At the end of the day you can’t argue with results.
Out of the Box
This plugin is easy to set up out of the box. It literally takes just a few clicks. You don’t even have to fiddle with the additional settings, though if you do it adds extra layers of protection, so it’s a win-win situation.
Within the 45.28 seconds it takes to set up the plugin, you’re ready to go. This includes installing and activating it to the end of the initial set up. Yes, I actually timed it. I’m that cool.
Seriously, though, I don’t think iThemes could offer an easier user experience out of the box. The only way you could mess up this initial set up is if you didn’t do it at all.
Here’s where things get a little messy. This plugin does a pretty great job of protecting your site, though, the recent security breach raises some very important questions.
If iThemes were aware of an issue for some time – five years, in fact – that could compromise the security of their very own website, and decided to do nothing about it, that doesn’t say very much about their quality assurance. If they cannot protect their own site, how can you be sure they will protect your site?
It seems like an oversimplification, but it really isn’t. One of their servers was hacked due to a failure to fix a very basic security flaw, as I explained in this review.
Encrypting user information and not saving it in plain text is among the first things you learn when securing information online. If they can’t adhere to the most basic of online security principles when they are offering an online security service themselves, one is left questioning the integrity of their service.
After all, if they fell prey to such a basic miss-step, what other miss-steps are there left to be found? I’m not at all suggesting iThemes intended for information to be breached, but they did ignore the issue for several years.
It’s certainly admirable that Cory took full responsibility for the mishap and was completely honest about the issue in a timely manner. However, it does not change what happened. Information was compromised, which was entirely preventable.
In the end, to value this service you need to be able to value your security, and your privacy. I’m inclined to believe that no plugin or service is worth losing your privacy or information for. If you are not concerned with this, then you’ll be free to enjoy an otherwise seemingly fabulous plugin.
Resource Consumption / Speed
On its own this plugin is fairly lightweight, fast, and doesn’t require too many resources. On the other hand, if you’d like to make use of their advanced features then you definitely need to ensure you have a lot of RAM and CPU available. While speed won’t be affected, your resources will.
This is especially an issue if you have shared hosting. iThemes security will likely use up all your resources and cause your site to be inaccessible. If this happens, the only way you can get your site restored is if you have a backup of it.
The features which have every potential to put a strain on your server resources are database backups, file change detection, changing your database’s prefix, and changing your content directory. If you wish to use these features you need to have quite a bit of available resources and you need to make sure you make regular backups of your site.
Typically, I found you need to have at least 1 GB of RAM available to use strictly for this plugin. That’s quite a lot for one plugin, but the security of your site is very important so it’s still worth considering this plugin. You just need to make sure you have enough RAM, especially if you wish to use the features which tend to put a bit of a strain on your resources.
Right out of the box, this free plugin works really well and there are few recent problems on the basic user level. This plugin also has enough of the right features to make sure you are protected from most threats.
The only thing you’ll need to take care of, other than installing this plugins, is making sure you don’t fall prey to phishing scams and the like, which is ultimately up to you to monitor since plugins can’t do that for you.
While the iThemes team can’t go back in time and stop the September security breach from ever happening, the fact is it did happen, exposing not only users’ data to hackers, but iThemes own security flaws. So I think it’s fair to advise that you use this plugin with caution and contact iThemes if you have any concerns.
Nevertheless, there are many faithful supporters of the iThemes Security plugin. It’s not too difficult to see why with so many thrilled customers. Just be sure to backup your site as they helpfully and so often suggest.
- The plugin is free to use and is complete on its own (no extensions needed)
- It's easy to use and has clear instructions in the plugin settings, as well as externally
- Offers protection from brute force attacks and back door vulnerabilities, and includes malware scanning
- The plugin in continuously being updated and new security features are added regularly
- Advanced features such as changing the directory of sensitive files, and renaming database pre-fixes
- Compatible with WordPress Multisite
- The plugin can very easily break your site, even for simple things like not enabling SSL
- This plugin is not built for shared hosting platforms as scans take up a lot of resources
- The only remedy to a hacked site is to do a restore
- Does not offer complete protection of your site, such as partial spam protection
- An iThemes server was recently hacked