449 – Plugin Review: iThemes Security Pro
In today’s podcast, we do a full review of all the features of iThemes Security and the pro features and discover whether it’s worth the investment for the premium version.
Full TranscriptBusiness Transcription is provided by GMR Transcription.
On today’s episode, we are going to dive into another plugin review, we’re gonna talk about iThemes Security Pro, right here on YourWebsiteEngineer podcast, episode number 449.
Hello and welcome to another episode of Your Website Engineer podcast. My name is Dustin Hartzler, and today we are going to continue this kind of month-long, or summer-long sabbatical season and just talk about plugin reviews, especially the premium plugins that cost a little bit of money to install and put onto your website. I just wanna kinda de-bunk and work through some of these, and just make sure that you know what plugins are good, and which ones are worth the money to spend on it, and which ones aren’t, you know, just kinda get a feel for the plugins before you actually have to purchase them for yourself.
So, before we get started though, I wanted to let you know about the contest that I talked about last week on episode number 448, and you can find out more details at YourWebsiteEngineer.com/448. It’s all about OptinMonster and the goods and bads about OptinMonster. And then, there’s also a giveaway that I’m giving away a few licenses of the OptinMonster code – or the plugin itself, and the service and software as a service for three lucky winners, so find out more details by heading over there.
Okay, today let’s go ahead and talk about iThemes Security Pro. I’ve been a fan of iThemes Security Pro ever since it was called a better WP security, and then it was acquired by iThemes, and then rebranded it, and changed the name to iThemes Security Pro. And iThemes is a great company, and they’ve got tons of different plugins that are part of their suite of plugins—the BackupBuddy is the main one, that’s the one that you may or may not have heard about, but that’s the big one that they have. But the Security is their next one, they also have a sync feature, and then they have a bunch of other kinda miscellaneous plugins.
And iThemes Security Pro is probably the one that I like to recommend the most. I know that there’s tons of different backup solutions that work, BackupBuddy is a great solution, but iThemes Security Pro is one of those plugins that I just find it does a very, very good job of helping you set up your WordPress site so that you’re not gonna have issues in the future with hackers or having malicious code entered into it and whatnot. So, let’s go ahead and talk a little bit about what it is and how it works.
So, they deem themselves “the best at WordPress security plugin to secure and protect your WordPress site.” I also should mention that there’s also a free version just called iThemes Security, and you can find that in the WordPress repository, and that gets most of the way there. There are extra things that we’ll talk about that it gives you in the Pro version, but you can get a lot of their features just in the free version as well. So, you just have to know then as a WordPress site owner, you have to have some sort of security strategy that includes a trusted WordPress plugin, like iThemes Security Pro.
I feel very comfortable with using plugins from iThemes, there’s a bunch of big-name companies that are out there, but iThemes is one of those that I just know that just because their name is behind it, they have some great – they have a great team behind them, and they are constantly developing, and constantly adding new features to this plugin. So, WordPress is over a third of the web now—over 33%—and it’s been an easy target for hackers with malicious intent because there are so many websites that are running WordPress. There are so many that are running outdated versions, or have some security vulnerabilities and whatnot in them to make it easy for people to hack into.
So, you wanna make sure that your WordPress site is secure and protected with iThemes Security Pro. It helps you to fix common WordPress security issues that you may not know exist, and then, it can also add that extra layer of protection that gives you peace of mind, and keeps the bad guys out. So, what all is in this security plugin? Here are the free things that are built right in: they have a security check, so it allows your site to ensure that it’s using the recommended features and settings. This one is probably the best one, the easiest one to use when you turn on the iThemes Security, or iThemes Security Pro.
It goes through, and it gives you this gigantic checklist of things that you can do: is your database prefixes, are those different than WP; are you using a different user ID than one; are you using admin as a username? It goes through this check and then it gives you a letter grade of how well that you did through the security check. That’s one of the great pieces about the plugin: you can go, you can run the check, you can fix a bunch of things, and then you can – then you know that you have made your site more secure and harder for people to get into. They also have a notification center that’s built-in, that you can see – you can get email signature or email notifications sent by iThemes Security if something happens. So, if you say: oh, ban anybody that tries the email address “admin,” or the username “admin,” then you will get an email notification directly to your email, or you can look at those inside of the security logs inside of the plugin. It also has 404 detection, if you turn that on it allows – it blocks people and blocks users that are snooping around your site for pages to exploit. There is an “away mode,” so you can enable that when you are going to be away from your website. You know, maybe you’re gonna be away for a month, you’re going on vacation, you don’t want anybody getting in, you can enable “away mode” on iThemes Security.
You can do a band user, so this blocks specific IP addresses and user agents from accessing your site. So, if you know that you’re getting a bunch of spam comments from a certain IP address, you can just go ahead and block that. You also can have database backups; this is built-in to iThemes Security. It basically can be created manually, you can go in, and you create a backup. It’s kind of unique that it’s in iThemes Security when you also need BackupBuddy, but it’s just a standard – a simple backup, and it’s not the easiest to restore, but it’s got that built-in to iThemes Security.
You can also monitor for unexpected file changes, which is really nice. So, if a file, or a plugin, or a theme file, or something changes, you can get email notification when that happens; I’ve got that enabled on my website. You also can do file permissions, so you list the file and directory position – or permissions of key areas on your site. So, you can see all of those. You can do local brute force protection; so this will protect your site against attackers that try to randomly guess the login details to your site, so you can enable that. You can also do a network brute force protection, and that just joins a network of sites that reports in projects against bad actors in the Internet.
So, if somebody is banned on another WordPress site, and they’re running iThemes Security, then that network will allow that same IP address – it will ban them, or that same credentials, it can ban them as well. You can also manage and configure password requirements for users. So, if you have multiple people logging-on, you can use a “fine-tuned tuning,” I guess you could say, to make sure that the passwords meet your criteria for secure on a WordPress account. They also allow you to do SSL to ensure that communication between the browser and server are secure; if you don’t have an SSL certificate, you can configure one through there. There is a section called “system tweaks,” and this allows advanced settings to improve your security by changing your server configuration for your site, so you can make some changes there. You can update your secret keys—they’re called the WordPress salts—to increase the security of your site, that’s another one. And then the last one is WordPress tweaks, and these are advanced settings that improve security by changing default WordPress behavior. And so, that one, and the WordPress salts, and the security check are the three big ones that you want to go through and then enable the “file change detection.” If you do all those, you’re gonna get a huge amount of bang for your buck for the free plugin of iThemes Security.
Now, if you want to upgrade to the Pro version, we’ll talk about what the cost is in just a few minutes. But some of the features that are built into the Pro version is it has Magic Links, which allows you to send an email with a Magic Link that bypasses a user name lock-out. So, if somebody’s locked out of your site, you can send them a Magic Link, and then they can log back in. There’s also malware scan scheduling, and so you can protect your site with automated malware scans. When this feature is enabled, the site will automatically be scanned each day, and then if a problem is found, an email is sent to selected users.
And this is using Security.net, and the power of the technology there that monitors millions and millions, and millions of WordPress sites. So, that’s built right into iThemes Security Pro. You also have a few other cool features that are built-in, one is called “a privilege escalation,” and this allows admins to temporarily grant extra access to a user for the site for a specific period of time. So, if you wanted to – maybe you had a contractor or somebody working on your website, you could give them their normal – you give them a regular access.
And then, from 8:00 a.m. to 5:00 p.m., whenever their working hours are, you can give them specific: oh, I’m gonna bump you up to an admin so you can do your work, and then remove the admin privileges when they’re not doing the work. They also have a feature for the captcha, so if you wanted to protect your site from bots by verifying the person is actually a human, you can turn on the captcha, that’s a Pro feature. There is a settings import and export feature, this is super-handy if you are using iThemes Security Pro on multiple sites and if you wanna export the settings and import the settings, you can do all that with the Pro version.
You also have two-factor authentication. So, this allows you – and that’s that two-factor step, so you log in with your username and a password, and then, you have to enter a security code as the second piece of information to login into your site; so you can turn that on with the Pro version. There are a couple more things: there’s a user security check, so every user on your site affects the overall security, so you can see your users and how they might be affecting the security, and take action when needed. I’ve never really played with this setting, and I only have me as a user on my site, so I’m not exactly sure how that works, but that’s a feature in the Pro version.
And then, there’s “user logging,” and that logs actions such as login, saving content, making changes, deleting plugins, all that kinda stuff, that’s all built into the Pro version. And then, the last thing is version management, and so this – you can protect your site when outdated software is updated. So, in case an updated piece of software breaks your website, you can roll-back very, very quickly and get back up and rolling. So, that is the Pro version of iThemes Security. Now, in my personal review, I have used the Pro version for – I used it for several years, it used to be in the iThemes toolkit bundle.
Back-in-the-day when I was building websites for clients, I would spend money for the toolkit, and I would get everything that iThemes had to offer: I was using BackupBuddy; everything that they had, I was using. And you got it all for one package deal with “the toolkit” they call it. And I’m looking for the price here, and it looks like they’ve upped it quite a bit, it’s $700.00 per year. And that includes all of the plugins; all the training; you can do up to 10 Sync Pro sites; and you get all the themes; and you get all of the stuff that you need there was $700.00 if you want the firehose of what iThemes offers.
And for a free agency – or for the they call it “the free agent,” or “the freelancer” price point, and it kinda goes up from there. There’s an agency price, and that goes up to 25 sites for $857.00 per year. And then, if you need 50 sites or more, then that is $997.00 per year. And if you just wanted iThemes Security and not all the bells and whistles of everything, it’s $80.00 per year for one website, to $127.00 for 10 sites, and $199.00 per year for unlimited sites running iThemes Security Pro. And so, it really depends on if you find the value in the malware scanning—if you don’t wanna have to manually do that—and the two-factor authentication, those are the two pieces that I really recommend that’s worth it in the Pro version. And I know that with Jetpack and some other plugins, you can get two-factor authentication. Also, I guess, with the Pro version, you do get full support, and so, you can go, and you can contact support, and you can get help with any issues that you may be having. But honestly, I don’t know if it’s really worth the extra money, the $80.00 per year—or $200.00 if you wanna do unlimited sites—to have those features on all the time. I haven’t used iThemes Security Pro in a couple years, and I haven’t had any problems. Also, it probably depends some on your host.
And so, some the reviews that I’ve read, and some of the—I’ve never had this as an experience myself—but some of the things that people say is it slows down the server a little bit, or it slows down your site by running all these scans, and checks, and stuff in the background all the time. And so, that’s something to think about and consider. So, it really depends on what you’re thinking. I think that if you just go in and get the iThemes Security plugin from the WordPress repository, you go in, again, turn on the security check and fix everything there; turn on the file permissions; turn on the file change detection, so you get an email when unexpected files change.
And then, do the WordPress suite – or the WordPress tweaks, and the system tweaks. I think that’s going to give you a world of help. And then, probably the one last thing that I would enable would be the local brute force protection and the network brute force protection, turn those things on as well. And that will get you a very, very secure and a much better than most of the websites that are out there. So, that’s what I’d recommend, that’s my personal recommendation and what to do. That’s how I’ve got my site set up, and I haven’t had a problem—knock on wood—I haven’t had any issues with anything with iThemes Security, or even hackers, or anything.
I haven’t dealt with that in years, and years, and years, and I think it’s all because of iThemes Security. And I’ve just been using some better practices with WordPress: having a more secure password, and making sure that people don’t know what my login is, making sure that every time that somebody tries to login with the admin username, I just completely block their IP address and they can’t get in anymore. All of those things I have set up, and I don’t get a lot of spam comments, and I don’t get a lot of failed logins, because once that happens, they’re completely banned. And so, I have iThemes Security to thank for that. So, that’s what I wanted to share with you today. Thanks so much for tuning in. Also, remember head on over to the show notes for episode number 448—so that’s YourWebsiteEngineer.com/448—to find out more about the OptinMonster giveaway, where I’m giving away a couple of licenses of that software, or that software as a service, if you will. So, check that out.
And then, next week, we’ll talk about another plugin, or we’ll do something cool about WordPress. And we’re continuing to count down the weeks until my sabbatical is over, I just have a couple more weeks left. And I’ve got a huge deck project that I’ve been working on pretty much every spare chance I’ve got the last couple of days, and I just haven’t had a lot of computer time, so hopefully, I can get back in the swing of things. Three weeks until I’m back at work, and then I’ll be full-force into automatic things and WooCommerce things in WordPress. And so, I’m excited, but I also have a lot to do in the next couple of weeks. So, until next week, take care, and we’ll take again soon. Bye-bye.