Written by on

Better WP Security Changing To iThemes Security: What You Need To Know

I’m very excited to share that next week, Better WP Security, the uber-popular security plugin developed by Chris Wiegman, will be getting a big, highly-anticipated update.

One reason I’m so excited about this next update is because I found Better WP Security because I needed help locking down my own personal site. So I’m a fan and user of BWPS just like you and know how it’s helped me personally (and want to continue doing that for others).

Over the years, we’ve seen increased attacks in the WordPress community and have sought to help our community by providing resources and tips, like this post last year.

Security isn’t going away. It’s only heating up as more and more people seek to exploit WP.

And we want to be part of the solution.

With that, I wanted to let you know about some things changing (and not changing) with Better WP Security (BWPS), soon to be iThemes Security.



This is the biggest reason for this early announcement.

With the new rollout, we’re changing the name from Better WP Security to iThemes Security to better reflect its role and future in the iThemes family. We hired Chris full-time in December 2013 to focus solely on making BWPS ( iThemes Security) better for you.

One important note about the name change, you’ll notice next week …

Because of the way the WordPress.org plugin repository system is set up, changing the name of the plugin will cause it to show an error (as shown below) and deactivate the upgraded plugin.


The error will look like this after you’ve upgraded the plugin.


But it has a very simple and easy fix:

Simply reactivate the “iThemes Security” plugin in your WP Dashboard after upgrading. 

After upgrading, all you’ll have to do is simply “Activate” the new version titled “iThemes Security” plugin in your Dashboard after upgrade and you’re good to go. Your settings and setup will be saved.

We tried hard to find ways to work around this particular issue with changing the name, but unfortunately reactivation after updating the plugin is what has to be done to receive the new version.

With this post, we’re trying to get the word out as broadly as possible to let the community know this is coming and what to do in advance. We’d appreciate your help in spreading the word, too, by sharing this post.


Here are some of the new features you’ll see in the next version of BWPS (iThemes Security):

  • The jQuery scanner will tell you if your theme has an outdated and vulnerable version of jQuery
  • A new option to disable PHP execution in the uploads folder
  • The ability to prevent usernames from being discovered by forcing a unique nick name that is different from the username and by hiding the author archives with users who do not have a post)
  • Voluntary data collection via Google Analytics to help us make iThemes Security even better
  • The ability to add multiple reporting email addresses for backups and notifications
  • Streamlined settings for easier configuration
  • Full integration with BackupBuddy
  • A complete rewrite of existing features for faster, better, more secure sites.


For all practical purposes, iThemes Security is more than just an upgrade, it’s a new plugin. Every single feature has been re-imagined and recreated for both a better user experience and a more secure site.

Again, Chris’ first priority since December 2013 at iThemes has been to completely rework this plugin from the ground up.


iThemes has been building, releasing and supporting commercial (and free) GPL plugins and themes to the WordPress community since 2008.

We are an established company with an awesome team of developers, designers and support techs committed to making your life awesome by building great solutions for you.

As such, support for iThemes Security will now come exclusively through iThemes. We will be releasing those plans and packages with the new release next week.

These will immediately be available to anyone, as well as in our Plugin Suite and iThemes Toolkit customers as part of their membership plans. (BIG BONUS!)

We are also working with highly-knowledgeable partners to provide hack repair and professional setup solution as well for the community.



I know there will be many questions about the future of Better WP Security. And I want to share answers to the key ones we know you’ll be asking.


The base plugin will still (and always) be free on the WordPress.org repo.

We do have Pro only (i.e. paid) features in the works already to monetize and help sustain the continued maintenance of this awesome plugin into the future.

But we have no plans to discontinue the features you now see in BWPS and only hope to continue to enhance and improve them to work better for you.

Our intention all along was to give BWPS a future. Hiring Chris full-time to keep the project going is our commitment to its future.


The base plugin will still be professionally maintained. Again, our commitment is to keep this awesome plugin maintained and active for as long as it’s useful and used by the WordPress community.

This is Chris’ chief role in our company — to maintain BWPS (iThemes Security).

In fact, prior to joining iThemes, Chris was maintaining Better WP Security part-time. Now it will be maintained FULL-TIME by him and our team.


We have plans to grow the base plugin as well. We have a number of free features already on our roadmap that we’ll be sharing, like improving notifications.

Chris and our entire team is excited about seeing where this plugin heads into the future as we help the WordPress community secure their sites.

More Upgrading Info for Current/Existing Better WP Security to iThemes Security

Most settings from Better WP Security will transfer to iThemes Security except for the Hide Backend Setting. You’ll need to reset your Hide Backend Setting due to a new implementation of the feature. In addition, you’ll still want to review your settings after the update as there are new options you will be able to use.


As always, if you have other questions, or have further comments, please make a comment below (or hit our contact form), and we’ll help clarify anything we can.

30+ Ways to Secure Your WP Site:
A Walk-Through of the New iThemes Security Plugin

Free Webinar – Thursday, March 27 @ 11am CDT

In this webinar, Chris Wiegman, lead developer for iThemes Security (formerly known as Better WP Security) will give you a walk-through of how to lock down your WordPress site with this newly revamped plugin. REGISTER NOW


  1. Thank you, but… anytime I see “i…” before a product name I think of Apple. Maybe it’s just me, but that bugs me.

    But who am I to complain? Your fine work has helped keep my site secure. Thanks.

    • Agreed. Very poor name choice. Unless you’re Apple, you shouldn’t be naming your product “i”-anything. This plugin isn’t even specific to Apple products. There’s absolutely nothing Apple or Mac-related here, making the name choice not only confusing, but nonsensical… and it comes off as simply trying to ride Apple’s branding coattails without any legit claim or reason to be doing so.

    • Ummm…

      “iThemes” is the Name of the Company. So if they want to brand the plugin with their company name, then it kind of makes sense that it is called “iThemes…. something”

      If they called it “iSecurity” then I would think you had a valid point. But they didn’t.

      Nothing about iThemes resembles Apple to me. As in they actually have products that work 😉

  2. Thank you for your commitment to this awesome plugin. I will be very interested to see the costs/features/services you come up with for the Pro version and will look forward to being a paid subscriber to support your continuing efforts for WordPress security.

    • Gotcha … well, I didn’t say everything would be free of course. But the base plugin as it is today will be.

      I hope the last 6 years (since 2008) and the next 6 years will show that we try hard to do what we say. :)

  3. This is great news! We use BWPS on pretty much every site we manage and have nothing but good experiences. The new features are welcome additions!

    Cory, any hints to what the paid features will add to the plugin?

    Cheers and thanks for all your efforts – Chris too!

      • How do we stay informed on the roadmap of the plugin Cory?

        PS I use your plugin on all of my clients sites. When I see that they are unsecured. I automatically install your plugin. Great job and thank you for making it available for us.

        Thank you

  4. Hopefully the Google Analytics integration will be optional?

    I consider your plugin to be a must-have feature for every blog or website that I build, and I appreciate that you are keeping this free. Will be looking forward to seeing all of the optional features with the next upgrade. I wouldn’t mind paying for more functionality when I already know that this absolutely works as promised–and then some!

      • Cory, I’d love to see an option for viewing live traffic that displays visitor IPs. I know that bloats the database, but sometimes you just want to know who is on the site. (Then I would only need 1 security plugin. 😉

        But if I ever had to choose a single security plugin, this would be it. Besides the great features, I know that I can turn it off and back on for troubleshooting any time without the entire site falling apart (unlike another security plugin I used to be a fan of), and that it always seems to play well with others. Can’t wait to see what’s next!

  5. The integration with BackupBuddy is interesting. Integration with Sync might be enough to entice me away from ManageWP. Which in its own right is a good service, but it doesn’t integrate with the things that matter to me :)

    • Grant, we are fully focused on providing the ecosystem for key tasks — like backups, ecommerce, security and more — and then being able to manage all of it remotely via iThemes Sync. Stay tuned. More to come! :)

  6. With the new ICANN thing going on and such internet security is more important than ever. i suggest to anyone who is making money with WP to pay for professional security like this. It may be the best investment you make :-0

  7. Awesome plugin>

    But there has been, what I consider, a major bug which I reported almost a year ago and it has still not been fixed (I even gave code samples as to how to fix it). See here…


    Others have filed bug reports about the same thing, including Chris Wiegman himself. But all copies of the bug report still remain Open.

    In a nutshell, there is no file locking when the plug-in is modifying the .htaccess file. When a site is under heavy attack (which is far too common these days) multiple processes will try to write new ban rules to the .htaccess file at the same time. This results in the file becomes corrupted and takes the entire site down!!! So far the only work around is to disable all Ban features or disable the Write To Core Files tweak.

    Any chance that you guys could make getting this bug fixed be your top and only priority?


    A loyal, and sometimes code contributing, user.

  8. Hi Cory, some months ago I wrote to Chris some features that I would like to see in BWPS now iTS :)
    Seems the moment to repeat them here:
    a) an improved layout (bigger fonts, box areas, icons, percentages) to help immediately recognize problem or good state of secureness
    b) captcha/re-captcha for forms, login etc., always useful
    c) autorepair for core hacked files
    d) scheduled sucury scan, with email alerts
    e) anonymizer for WP (to hide every reference of WP in front end generated code. To hide WP is the better step to avoid automatic crackers)
    f) scheduled backups for files too, but when I wrote this wasn’t aware that Chris join to iThemes family :)
    Thanks for your work


  9. Thanks Cory. I have NO problem paying for support or a premium product as long as it does what is promised. BackupBuddy has been my staple for quite awhile now, and BWPS has been fantastic, since I got two websites in a week brute force attacked. I’m in the process of putting it on ALL my WP sites, and will definitely be happy to pay for support or the extra protection (and upgrade them all to the new version).

    Keep up the good work!

  10. This is a good move guys! Congratulation. Your plugins is very very useful for us, without it we were going to face hackers mess on our sites.

    Thank you very much for this great move.

  11. Hi Guys

    Great News about this new direction for this fantastic plugin. I trust that the little issues such as it not currently removing the Meta information such as the Generator text, even though it is selected will be sorted.

    Was showing this plugin on a webinar and used the latest version only to find that when I did the security tests it left the meta info behind. Had to do a bit opt back peddling to the listeners.

    All in all it is the only security plugin in I now use for my own websites and customers.

    Keep up the good work and am looking forward to the paid features.

  12. Thanks for an awesome product but I think it should be a premium plugin.

    Its a rare product for wordpress security or you can say it as an All in One security plugin for wordpress & hence a better care it needed.

    Please add an option to revert the file permissions (from 444 to 644 when needed) and .htaccess rewrite rules. That’ll be convenient in some cases.

    Loved your work.

    • Amir,
      I had your problem once where the .htaccess file would not revert to 644 even though I unchecked the box.
      I even tried changing the file permission through cPanel on my hosting but it would still stay 444.

      The solution is to copy & paste all the file’s content to a new .htaccess file and delete the old one.

      Hope that helps.

      • Hi Jesse,

        Thanks for the suggestion buddy. That’s a nice solution but It can be done via chmod command.

        However I changed the permission from cPanel (I am a cPanel user).

        It can also be done via terminal under wordpress installation directory with these commands.
        chmod 644 .htaccess
        chmod 644 wp-config.php

    • Jesse, take a look at the post:

      Changing the name of the plugin will cause it to show an error and deactivate the upgraded plugin. Simply reactivate the new “iThemes Security” plugin in your WP Dashboard after upgrading.

      Good luck 😉

  13. Super Plugin!

    I hope you make these important and big changes better as the nextgengallery switch last year.

    Kind regards


  14. All I would like to say is that I’m THE BIGGEST FAN of BWPS and I am volunteering to share the word out even at WordPress Hangouts and meetings. I just want to hug someone now (and I think we know who). Great job guys…wish I could take you out for a drink or two

    ….from a security geek in Nigeria

  15. Free will be great for beginners at first. With increasing traffic, the traffic should be generating enough revenue to support a webmaster with pro version subscriptions. Great move ithemes.

  16. Uha!! Thumbs up for the new functions especially jQuery scanner, PHP execution in uploads and username discovery. I cant wait to see/test the new version.
    Also one small question, is there a possibility to add/generate nginx rules from the plugin. I’ve found/tested some rules but i don’t find them trustworthy.

    Thank you guys!

  17. Hi guys,

    I’m very happy with this plug-in. Every client of mine has never been hacked. Looking forward to the new plug-in an improved of course.

    Keep up the good work. Thanks to the entire team.

  18. Thanks for the timely update and information.

    Will you maintain the Infinite WP integration – i know you removed and then replaced it.


    • +1 This is critical. Especially for those of us who manage dozens of sites and will now need to re-activate the plugin after update.

  19. That name change thingy will not be an issue, it’s a one time thing anyway. Besides, who cares about the name, important thing is that this plugin is awesome, can’t imagine my site without it!

    Just keep it as cool as it is now and it will all be fine :)

    A huge thank you to Chris for creating such a great plugin, and thank you for keeping it alive and free!

  20. I have been using Better WP Security for a while on all my sites but recently have resorted to using it along side of another security plugin. This was due to several erroneous reports of thousands of files being changed on one of my sites when in fact there was no changes.

  21. There is no comparison of free plugin like “Better WordPress Security”,I have been using this plugin since the start of my blogging career,it has matchless characteristics and help great to secure wordpress blog. The new upgraded version will surely improve the security.

  22. Since i Opened a Site, My Friends Recommend me this Plugin, and i Am using this Plugin so on. Thanks for updating this Plugin Regularly to Secure us from many types of attacks Over WP. Thanks for Sharing again :)

  23. What else I should say? Thank you for supporting this free plugin. I hope many premium user pay your service to help you keep it alive.
    Without BWPS we had many security issues both on our website and our clients.

    Thanks again,

  24. I disagree with the name change. Better WP Security was descriptive and not misleading. iThemes Security doesn’t sound like it’s related to WordPress at all, nor does it sound like it secures WordPress. At best it sounds like a solution for securing iThemes.

    I think keeping Better WP Security and adding iThemes to it somehow might have been better. Better WP Security by iThemes. Wordy, but sounds more useful than the name now implies.

  25. I run several multisite installs. The FAQ on the repository page says it works with multisite, but not any other info. For instance, I’m assuming that it should be network activated, but more novice multisite admins may be unsure. It would be super if you could eventually flesh out a little more about how this plugin is best deployed in a multisite environment.

    • I don’t network activate in general, but each site exists independently in the database if you look at the table structure, so I just install at the top level and activate in each child site as needed.

      That said there isn’t any benefit in using one method over the other as the plugin settings remain per site.

  26. Oh great, so I now have to manually login to 45 wordpress’s and 2 Multi Sites and manually re-activate a plugin because you want a promotional name.


    I spent 7 hours at the weekend attempting to fix a wordpress login problem that occurred simply because BWPS randomly decided to lock every admin out of two websites.

    Not very pleased that I’m going to have to spend so much time managing your name change.

    BWPS is good, but it’s 404 management is overactive, and there are a number of other issues that need to be addressed, particularly the fact that it considers it’s own backups a file change.

  27. I know i may be in the minority but I do have a huge suggestion. There has been cases that WP was installed using Microsoft IIS. (no choice) This plugin and most of its better security features are useless with IIS. Any plans on supporting IIS and web.config?


  28. As an adviser on consumer technology, my site (https://www.positek.net) gets attacked regularly/daily. I use a plugin called Activity Monitor so I can see those attacks as well as legitimate logins. It’s simple yet offers better info than BWPS’ Bad Login Attempts feature. I’d certainly vote for incorporating that functionality into the new product asap. I’d also be very interested in the premium features for better securing my own and clients’ websites. And please break up the logs page so it doesn’t scroll on forever to find the log type you want to examine. Thanks for listening, and I’m an avid fan of BWPS looking forward to iThemes Security!

  29. I have a great idea, currently the DB backup options only work for so then completely stops working. Even when you click on the create DB backup button it simply goes to a blank white page. Please fix this as this is one of the most important features within this plugin.

    There is numerous posts in the support section in the wordpress repo that never get answered by anyone.


  30. I’ve been using WPBS for some months recently and really happy with the result. It helps a lot in preventing spamming attacks and increases website performance.

    One thing I’d love to add to the plugin is when monitoring file changes, please don’t monitor cached file (generated by WP Super Cache or W3TC plugins). Those cached files are changed FREQUENTLY and it’s useless to check them. Maybe a filter or simple check that exclude those plugin’s cache folder is enough.

    Again, thanks for great plugin!

  31. I’ve been using BWPS on both of my blogs for some time now, and I have to say that the product has absolutely lived-up to the promised protection. While I do make a concerted effort to keep my WP versions up to date, it’s a comfort to know that BWPS is keeping watch. I doubt that I go through a day without a lockout notification, and given the nature of my blogs, I know that these are all attempts to subvert the site. I’m looking forward to seeing what’s in store. If I have any concern, it’s based on my prior experience as a developer and the knowledge that re-coding is the equivalent of new code, and that there are always risks with new code… Regardless, I’m looking forward to seeing what’s new. :)


  32. As a satisfied user of BWPS Plugin, I am happy that it will be free again after this major change. Thank you guys, WP community needs you to stay safe!

  33. I have BetterWPSecurity installed on many wordpress sites, and in general it has been working great.

    Unfortunately, I think the plugin and/or the wordpress core automatically updated recently, and I can no longer log into several of the sites.

    This is a major emergency for me, as my clients are going to start freaking out when they can’t log into their sites.

    Please provide instructions on how to disable the plugin via ftp or allow me to log in.

    • Bill, all you need to do is log in to your ftp account and navigate to your wp-contents folder, then access the plugins directory. Once you are in the plugins directory… find the bwps plugin and rename it to something else like better-wp-security-deactivate. It really don’t matter what you rename that folder to. The key thing is that you rename it to something other that it’s original name (better-wp-security).

      You can also do the renaming from your cPanel. Just go into your files directory and follow the same method in accessing the plugins folder to rename the better-wp-security plugin.

      Hope that helps

  34. We publish about 1,000 wordpress sites and use Better Security on each one, but we also use three other security plugins to layer our defense: BulletProof Security, Securi, and Capcha. We hope your new plugin will remain compatible, since it takes them all to harden a WP site enough to keep the bad guys out. Or are you going to take over the .htaccess security now too?

  35. Good work friends! Thank you for having that vision in conjunction with this help around the world. WordPress needs to be more solid every day.

    Best regards

  36. Important question:
    Is the new version also looking for “TimThumb vulnerability” in active Themes and Plugins?
    Is then an option to repair?

  37. Good… but I don’t see any word on what will happen to us, loyal customers who bought the PRO version of WPBS… Will we have a free upgrade to the pro version of iThemes Security Pro, or we will have to pay again to have access to the pro features? Will the new pro version come out at the same as the “standard” version? Will the way to activate license/plugin be the same (and if not, will it cause problems to sites that already have it installed)?

  38. I know this is not the best place for it, but I’m a bit short on time and being a long-time, super-happy and appreciative iThemes customer and user of BWPS, I have a minor BWPS bug to report.

    The RegEx in the default host ban list is a little too aggressive blocks incoming requests from LinkedIn, which prevents LI from retrieving blog post images when sharing links, among other things. Hope this helps! -Abdul

  39. I love the plugin and thanks for keeping it free.

    I would just like to say, however, I’m really not a fan of the iCrap™ naming convention that is pushed around by apple (and mirroring it is not really creative ;). I suppose you will not be changing the name after it’s already been decided, but I just felt like sharing my 2¢ ;P

  40. This sounds great but can you please fix whatever is wrong with backup database tool. Currently it stops working after some time.

    For me and others this is probably the most important tool.

    Thank you

  41. Really happy to hear you are working on hack repair package as well. The customer service through ithemes is awesome, so I expect Better WP Security and all the packages will be fantastic also. Thanks for all the help.

  42. I rely heavily on this plugin to secure my sites… there’s not a single wordpress install that I have out there (and I have many) that does not have this plugin installed and regularly updated. I see the mention of new (paid for/pro) features to come and I hope you make the decision that no paid for feature be a “security” feature… paid for features ought to be easier reporting, live help, fancy colors… whatever… but PLEASE do not make the mistake of making critical (or any) security enhancements “paid for” features only; that scares the crap out of me.

  43. Great plugin and thanks for the update! I can’t wait to see all the new things it can do. :)

    It would be really neat if there was an option to backup the database a different way or if the plugin could handle a large backup. I have a client with a database that is too large for Better WP Security to backup every 3 days and send to me in an email because of the Shopp plugin. Ecommerce dbs (in my experience) are too big.

  44. My site crashed after the upgrade to iThemes Security. Error code “Internal server error”
    Could you please advice me how to avoid this issue ?
    Of course I have a backup and can restore everything , but still got the same error after upgrade

    Thank You




Sale Ends Today! Save 35% OFF BackupBuddy with coupon code BACKUPWP35