Menu
iThemes
Your one-stop shop for WordPress themes, plugins and training.

The best WordPress security plugin, Better WP Security, is now...

Get iThemes Security Pro

Experts to Help

Website security is a complicated subject and you don't want to go at it alone, especially if you're not quite sure how everything works. iThemes Security Pro customers get 1 year of ticketed support, so you know our support team is ready to help you when you need it.

Upcoming Pro Features & Updates

We have a long list of Pro features planned for release in the next few months. Get iThemes Security Pro now and you'll get 1 year of updates including all new Pro features released during that year. Check out our public roadmap to see all the awesome stuff we'll add to iThemes Security Pro during your membership.

Features FAQ Pro Setup Hack Repair Pricing

WordPress security that's more like a to-do list than a terminal.

iThemes Security shows you a list of things to do to make your site more secure with a simple way to turn options on or off. We've simplified these steps and provided descriptions of each action so you know exactly what's happening on your site. You shouldn't have to be a security pro to use a security plugin. And isn't that the point?



See how easy it is to get started


iThemes Security To-Do List

Defend your site from attacks you never knew existed.

Brute Force Protection

Limit the number of failed login attempts allowed per user. If someone is trying to guess your password, they'll get locked out after a few tries. You can even whitelist your own IP, so you're allowed more login attempts.

File Change Detection

If someone manages to get into your site, they'll probably add, remove or change a file. Get email alerts showing any file changes so you know if you've been hacked.

404 Detection

If a bot is scanning your site for vulnerabilities, it will generate a lot of 404 errors. iThemes Security will lock out that IP after the limit you set (20 errors in 5 minutes by default).

Strong Password Enforcement

Set which level of users on your site (admins, editors, users, etc.) need to have strong passwords. This is one of the best ways to secure your site.

Lock Out Bad Users

Keep bad users away from your site if they have too many failed login attempts, a lot of 404 errors or if they're on a bot blacklist.

Away Mode

Not making changes to your site 24 hours a day? Make the admin area inaccessible during specific hours so no one else can sneak in.

Hide Login & Admin

You can change the URL of your login area and admin area so attackers won't know where to look. This feature is also great to help clients remember their login link.

Database Backups

Schedule database backups and have them emailed to you. Or you can get BackupBuddy to step up your backup game. Make complete backups and send them to off-site storage destinations.

Email Notifications

Get email notifications when someone gets locked out after too many failed login attempts or when a file on your site has been changed.

Dashboard Widget

New

Get a quick view of important security stats for your site and easily perform security actions like temporarily whitelisting your IP — without having to navigate to the plugin’s settings.

Online File Comparisons

New

iThemes Security Pro compares changes made to any WordPress core file on your system with the version on WordPress.org to determine if the change was malicious.

Geo-IP Banning

Coming Soon

Getting a lot of spam or brute force attacks from a specific, obscure country? Block IP addresses by country with Geo-IP banning.

See all 30+ ways iThemes Security protects your site

More than 30 Ways to Secure Your Site

  1. Remove the meta "Generator" tag
  2. Change the urls for WordPress dashboard including login, admin, and more
  3. Completely turn off the ability to login for a given time period (away mode)
  4. Remove theme, plugin, and core update notifications from users who do not have permission to update them
  5. Remove Windows Live Write header information
  6. Remove RSD header information
  7. Rename "admin" account
  8. Change the ID on the user with ID 1
  9. Change the WordPress database table prefix
  10. Change wp-content path
  11. Removes login error messages
  12. Display a random version number to non administrative users anywhere version is used
  13. Scan your site to instantly tell where vulnerabilities are and fix them in seconds
  14. Ban troublesome bots and other hosts
  15. Ban troublesome user agents
  16. Prevent brute force attacks by banning hosts and users with too many invalid login attempts
  17. Strengthen server security
  18. Enforce strong passwords for all accounts of a configurable minimum role
  19. Force SSL for admin pages (on supporting servers)
  20. Force SSL for any page or post (on supporting servers)
  21. Turn off file editing from within WordPress admin area
  22. Detect and block numerous attacks to your filesystem and database
  23. Detect bots and other attempts to search for vulnerabilities
  24. Monitor filesystem for unauthorized changes
  25. Create and email database backups on a customizable schedule
  26. Make it easier for users to log into a site by giving them login and admin URLs that make more sense to someone not accustomed to WordPress
  27. Detect hidden 404 errors on your site that can affect your SEO such as bad links, missing images, etc.
  28. Works on multi-site (network) and single site installations
  29. Works with Apache, LiteSpeed or NGINX (NGINX will require you to manually edit your virtual host configuration)
  30. New Remove the existing jQuery version used and replace it with a safe version (the version that comes default with WordPress).
  31. New Disable PHP execution in Uploads
  32. New Force users to choose a unique nickname when updating their profile or creating a new account which prevents bots and attackers from easily harvesting user's login usernames from the code on author pages.
  33. New Disable a user's author page if their post count is 0, making it harder for bots to determine usernames of users that don't post to your site.

Enforce strong passwords for all users.

Passwords are a critical component of a solid WordPress security strategy. iThemes Security Pro makes it easier for you to enforce strong passwords, making your sites more secure.

Use iThemes Security Pro's strong password enforcement settings to add a strong password generator to user profiles, set minimum password character limits, enable password expirations and control the minimum user role for strong password roles.

Secure your WordPress site with two-factor authentication.

Strong passwords not enough? With iThemes Security Pro's two-factor authentication setup, users are required to enter both a password AND a second code sent to a device like your Android smartphone or iPhone.

Both the password and the code are required to log in to a user account, adding an extra layer of security that verifies it’s actually you logging in and not someone who gained access (or even guessed) your password.

Know your site is safe with scheduled malware scanning.

Malware is often disguised or embedded in non-malicious files, so you may not know your site is infected. Hackers use malware to gather sensitive information and get unauthorized access to your site.

Know your site is malware-free with scheduled malware scanning. The malware scanning works to analyze your site and identify malicious content, phishing software and suspicious code detected by a reliable network of antivirus engines and website scanners.

With iThemes Security Pro, you can set weekly scheduled scans of URLs and files so you know you have ongoing protection.

Integrated with iThemes Sync.

iThemes Sync offers a secure way to remotely release iThemes Security lockouts and set Away Mode for your site.

Enable/Disable Away Mode

iThemes Security Pro's Away Mode feature shuts off access to your site's dashboard. With Sync, you can turn Away Mode on or off remotely on any of your sites running iThemes Security Pro.

Release Lockouts

Using Sync, you can see the IP addresses for any locked out users. To release lockouts, just click the Release button. All without every having to log into your site.

More Pro Features Coming Soon

(We're working on them now)
Check our public roadmap or view pricing

Pricing Options

Plugin Suite

Developer licensing for all 20 of our plugins.

Including BackupBuddy, Exchange, the DisplayBuddy series and more!

$247

Developer

Ideal for WordPress designers and developers.

unlimited licenses $150

Business

Ideal for people with multiple business sites.

10 licenses $100

Personal

Ideal for personal bloggers or single website owners.

2 licenses $80

Pro Setup $80

Still sound daunting to jump into alone? Have one of our security experts set it all up for you. We configure exactly what you need for your specific site. There are a lot of settings to manage with security, even with a plugin that makes things easier. Security is our business, not yours. So if you want to do it right, have the pros help.

This is an add-on service to the plugin and does not include the cost of the plugin itself. This service can also be used to set up the free WordPress.org version of iThemes Security for you.

Have a Pro Secure Your Site

Why should I use Pro setup?

1 You have a big client and you're afraid you're in a little over your head. We'll do the dirty work and make sure they're good to go and you look like a pro.

2 You've been hacked before and you want to do everything you can to not let it happen again. We'll lock down your site for you so it won't.

3 You're not the technical type, but you know that security is important and you don't want to get caught unprepared. We'll handle all the technical stuff for you.

Have questions?

What will I have to change in upgrading from Better WP Security to iThemes Security?
Most settings from Better WP Security will transfer to iThemes Security except for the Hide Backend Setting. You’ll need to reset your Hide Backend Setting due to a new implementation of the feature. In addition, you’ll still want to review your settings after the update as there are new options you will be able to use.
Why does iThemes Security require the latest WordPress version? Can’t I use a slightly older version?
One of the best security practices for a WordPress site owner is keeping software up to date. Because of this, we only test this plugin on the latest stable version of WordPress and will only guarantee it works in the latest version.
Will this plugin completely stop all attacks on my site?
No. iThemes Security is designed to help improve the security of your WordPress installation from many common attack methods, but it cannot prevent every possible attack. Nothing replaces diligence and good practice. This plugin makes it a little easier for you to apply both.
Is “one-click” protection good enough?
One-click protection will help reduce the risk of attack on your site, but we recommend fixing as many high, medium and low priority items in the Security Status section as possible. If you have a plugin or theme that conflicts with an iThemes Security feature, we recommend deactivating the offending feature.
Is this plugin only for new WordPress installs or can I use it on existing sites, too?
Many of the changes made by this plugin are complex and can break existing sites. While iThemes Security can be installed on either a new or existing site, we strongly recommend making a complete backup of your existing site before applying any features included in this plugin.
Will this work on all servers and hosts?
iThemes Security requires Apache or LiteSpeed and mod_rewrite or NGINX to work. While this plugin should work on all hosts with Apache or LiteSpeed and mod_rewrite or NGINX, it has been known to experience problems in shared hosting environments where it runs out of resources such as available CPU or RAM. For this reason, it is extremely important that you make a backup of your site before installing on any existing site. If you run out of resources during an operation such as renaming your database table, you may need your backup to be able to restore access to your site.Finally, please make sure you have adequate RAM if you plan to use the file change detector or make large backups.
Does this work with network or multisite installations?
Yes.We’re in the process of developing more documentation, so we’ll update this as soon as it’s ready.
Can I help?
Of course! We are in constant need of testers. In addition, we can always use help with translations for internationalization. For more information on contributing to iThemes Security, visit this page.
What changes does this plugin make that can break my site?
iThemes Security makes significant changes to your database and other site files which can be problematic for existing WordPress sites. Again, we strongly recommended making a complete backup of your site before using this plugin. While problems are rare, most support requests involve the failure to make a proper backup before installation. DISCLAIMER: Under no circumstances do we release this plugin with any warranty, implied or otherwise. We cannot be held responsible for any damage that might arise from the use of this plugin.

Note that renaming the wp-content directory will not update the path in existing content. Use this feature only on new sites or in a situation where you can easily update all existing links. For more information, visit Fixing iThemes Security Lockouts and What is Changed By iThemes Security

Where can I get help if something goes wrong?
Official support for this plugin is available for iThemes Security Pro customers. Our team of experts is ready to help. To access support, please visit the iThemes Member Panel to create a support ticket.

Tell your boss (or your developer) about iThemes Security Pro. They'll thank you later.

Send them an email
  • Don't worry. We won't send them (or you) any emails after this one.
    But if you want more emails & updates from us, you can sign up for that here.