Ithemes Security Pro Vs Wordfence? What is the Best WordPress Security Plugin?


IThemes Security Pro Vs WordFence? What is the Best WordPress Security Plugin? But seriously I’m a fan of defender by the crowd at WPMUDEV. They’ve always looked after me.

iThemes Security vs WordFence - Which is the best security plugin

solved 0
TinaJademWoods 2 years 2019-09-07T16:29:55+00:00 8 Answers 0

Answers ( 8 )


    IThemes Security Pro on all of our sites… hide the admin, limit login attempts, ban attempts to login as username admin, two-factor authentication, google invisible Recaptcha on the login form, SSL on the login form. plus way more.

    Get IThemes Security Pro

    Best answer
  1. Ithemes Security Pro Vs Wordfence? What is the Best WordPress Security Plugin?

    Security is a responsibility of your hosting server provider. These plugins do nothing useful, they make your database grow without a reason and while they log dates and IP’s of “attacks” they slow down and put a burden on your site, so in case of a real DDoS attack, they actually help the attacker.


    I’m using Malcare but thinking about trying SecuPress or something else. Not having an issue with Malcare just curious if there’s something more feature rich in a free offering.

    Also just as something funny. I just cancelled a Bluehost demo account today. It was running Astra and Elementor, and I loaded the Landscaping and Gardening Astra Starter Page. Then installed Site Origins Widget Bundle. I also installed WPForms.

    They’re up to date. WP, themes, plugins, everything.

    After about 7 – 10 days Malcare was installed, Malcare states, and not after the first scan mind you, that it found an infected file.

    I also have a site, still have a site, with InmotionHosting.
    It is running all the same stuff except minus site origins widget bundle and wpforms. I also didnt load any Astra starter sites.

    ~3 weeks after my Bluehost site was infected, my Inmotionhosting site still isn’t, according to Malcare.

    I just find that amusing.

    Oh, and one of the things I want that Malcare free version (and neither does pro AFAIK) doesn’t offer? WP admin URL change.

    Used WPS Hide Login but I’m still seeing some IPs trying to brute force somehow even after supposedly changing the default login URL.

    Which is just something else I need to dig into more.


    I use them both on the same sites and it’s fine because they’re not doing the same things. Add your own common sense and you’ve got quite a good basis for your web site security. Of course, you can always do better, but it’s a start.

    IThemes is best as you can change the login URL, database SQL prefix, and other settings that you cannot do with Wordfence.

    I highly recommend themes, In the past my IP got Locked. thanks to Wordfence that make my day really difficult that day, and there are no ways to unlock it again.

    Careful with the use of Wordfence – many hosts don’t allow it (WPEngine, Synthesis, etc) so you may find yourself having to find another one should you move to one of those hosts. I recommend & use iThemes, a custom plugin, .htaccess and a few other methods, depending on the site.

    Visit IThemes Security Website


    I rely on server-side security for the firewall, and the only plugin I install by default on sites is Limit Login Attempts to deal with brute force bot attempts.

    In my own experience, plugins like WordFence slow the site down badly.

    I don’t question the expertise of the developers and analysts who provide these tools or the contributions they make to the community in terms of education about security issues, but in my opinion the plugins themselves are designed to create fear. That fear is what sells the premium product, and in many cases having one of these plugins installed doesn’t prevent a site being hacked, although they might alert you after the fact.

    The most common point of entry for hackers is probably old or outdated plugins, or using nulled premium products that were downloaded from some dodgy site that offer “free” versions of licensed products.

    Strong passwords, decent hosting, regular backups, and keeping everything up to date is the best first line of defense.


    If you’re on a host with a properly configured web app firewall and follow common security practices, then that will cover most of the day to day protection.

    I’ve personally cleaned dozens of hacked sites over the years and my company must have cleaned many hundreds by now. I can’t think of a single one of them that was using wordfence, yet I’ve seen sucuri on them on occasion. Frequently there’s been ithemes security (it doesn’t seem to do much).

    When it comes to scanning already hacked sites wordfence wins hands down over sucuri. Frequently neither of them get everything but wordfence just about always finds *more* injected files and files which are part of the intrusion kit than does sucuri.

    Just some observations from someone who regularly cleans hacked sites.


    You could be the best security plugin. Try to use plugins from reliable sources and keep a strong password. This does pretty much of your work. WordFence will keep you informed about any outdated plugin or theme. It also helps in scanning and identifying any (may not all) suspicious file on your WP installation.


    For my experience, I’m using a VPS with root access so the first thing I protect my ssh I block the root login and create a user with admin command after that I start to install all the necessary (update my server install LEMP, Nginx, MariaDB, PHP) after that I use IP tables with fail2ban, it’s the most basic you can do to protect your server from hacker after for WordPress I use only Akismet ( 5 USD per month) with a captcha and my hosting protect me from DDoS. And all the common things you can do always update WordPress and plugin etc never use nulled plugin !!!

Leave an answer

What is the capital of Egypt? ( Cairo )