Search Over 30,000 FREE Plugins from the Official WordPress Plugin Directory Repository

iThemes Security (formerly Better WP Security)

Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.

iThemes Security is the #1 WordPress Security Plugin

iThemes Security (formerly Better WP Security) gives you over 30+ ways to secure and protect your WordPress site. On average, 30,000 new websites are hacked each day. WordPress sites can be an easy target for attacks because of plugin vulnerabilities, weak passwords and obsolete software.

Most WordPress admins don't know they're vulnerable, but iThemes Security works to lock down Wordpress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, our WordPress security plugin can help harden WordPress.

Maintained and Supported by iThemes

iThemes has been building and supporting WordPress tools since 2008 like BackupBuddy, our WordPress backup plugin. With our full range of WordPress plugins, themes and training, WordPress security is the next step in providing you with everything you need to build the WordPress web.

Get Plugin Support and Pro Features

Get added peace of mind with professional support from our expert team and pro features to take your site's security to the next level with iThemes Security Pro.

Pro Features:

  • Two-Factor Authentication - Use a mobile app such as Google Authenticator or Authy to generate a code or have a generated code emailed to you.
  • WordPress Salts & Security Keys - The iThemes Security plugin makes updating your WordPress keys and salts easy.
  • Malware Scan Scheduling - Have your site scanned for malware automatically each day. If an issue is found, an email is sent with the details.
  • Password Security - Generate strong passwords right from your profile screen.
  • Password Expiration - Set a maximum password age and force users to choose a new password. You can also force all users to choose a new password immediately (if needed).
  • Google reCAPTCHA - Protect your site against spammers.
  • User Action Logging - Track when users edit content, login or logout.
  • Import/Export Settings - Saves time setting up multiple WordPress sites.
  • Dashboard Widget - Manage important tasks such as user banning and system scans right from the WordPress dashboard.
  • Online File Comparison - When a file change is detected it will scan the origin of the files to determine if the change was malicious or not. Currently works only in WordPress core but plugins and themes are coming.
  • Temporary Privilege Escalation - give a contractor or someone else temporary admin or editor access to your site that will automatically reset itself.
  • wp-cli Integration - Manage your site's security from the command line.

iThemes Sync Integration

Manage more than one WordPress site? Manage Away Mode, release lockouts and keep your themes, plugins and WordPress core up to date from one dashboard with iThemes Sync. Start managing 10 WordPress sites for free with iThemes Sync.

iThemes Brute Force Attack Protection Network

iThemes Security takes brute force attack protection to the next level by banning users who have tried to break into other sites from breaking into yours. The iThemes Brute Force Attack Protection Network will automatically report IP addresses of failed login attempts and will block them for a length of time necessary to protect your site based on the number of sites that have seen a similar attack.


iThemes Security works to protect your site by blocking bad users and increasing the security of passwords and other vital information.

  • Prevents brute force attacks by banning hosts and users with too many invalid login attempts
  • Scans your site to instantly report where vulnerabilities exist and fixes them in seconds
  • Bans troublesome user agents, bots and other hosts
  • Strengthens server security
  • Enforces strong passwords for all accounts of a configurable minimum role
  • Forces SSL for admin pages (on supporting servers)
  • Forces SSL for any page or post (on supporting servers)
  • Turns off file editing from within WordPress admin area
  • Detects and blocks numerous attacks to your filesystem and database


iThemes Security monitors your site and reports changes to the filesystem and database that might indicate a compromise. iThemes Security also works to detect bots and other attempts to search vulnerabilities.

  • Detects bots and other attempts to search for vulnerabilities.
  • Monitors filesystem for unauthorized changes.
  • Run a scan for malware and blacklists on the homepage of your site.
  • Receive email notifications when someone gets locked out after too many failed login attempts or when a file on your site has been changed.


iThemes Security hides common WordPress security vulnerabilities, preventing attackers from learning too much about your site and away from sensitive areas like your site's login, admin, etc.

  • Changes the URLs for WordPress dashboard areas including login, admin and more
  • Completely turns off the ability to login for a given time period (away mode)
  • Removes theme, plugin, and core update notifications from users who do not have permission to update them
  • Removes Windows Live Write header information
  • Removes RSD header information
  • Renames "admin" account
  • Changes the ID on the user with ID 1
  • Changes the WordPress database table prefix
  • Changes wp-content path
  • Removes login error messages


iThemes Security makes regular backups of your WordPress database, allowing you to get back online quickly in the event of an attack. Use iThemes Security to create and email database backups on a customizable schedule.

For complete site backups and the ability to restore or move WordPress to a new host or domain, check out BackupBuddy.

Other WordPress Security Benefits

  • Makes it easier for users not accustomed to WordPress to remember login and admin URLs by customizing default admin URLs
  • Detects hidden 404 errors on your site that can affect your SEO such as bad links and missing images

WordPress Security Tutorials

Learn how to use our WordPress security plugin with our series of in-depth tutorial videos:


  • Works on multi-site (network) and single site installations
  • Works with Apache, LiteSpeed or NGINX (Note: NGINX will require you to manually edit your virtual host configuration)
  • Features like database backups and file checks can be problematic on servers without a minimum of 64MB of RAM. All testing servers allocate 128MB to WordPress and usually don't have any other plugins installed.


Please let us know if you would like to contribute a translation.


Please read the installation instructions and FAQ before installing this WordPress security plugin. iThemes Security makes significant changes to your database and other site files which can be problematic, so a backup is strongly recommended before making any changes to your site with this plugin. While problems are rare, most support requests involve the failure to make a proper backup before installation.

Author iThemes
Contributors ithemes, chrisjean, gerroald, mattdanner
Tags admin, administration, Anti Virus, attack, authentication, ban, block, bots, brute force, hack, htaccess, injection, lockdown, login, login security, maintenance, malware, password, permissions, prevention, protect, protection, secure, security, security log, security plugin, ssl, user agents, xml rpc
  1. better-wp-security screenshot 1

    WordPress security settings are organized into an easy-to-use dashboard.

  2. better-wp-security screenshot 2

    Settings can also be managed in a list view.

  3. better-wp-security screenshot 3

    Settings are easily configured and explained with descriptions.

  4. better-wp-security screenshot 4

    Advanced WordPress security settings let you make more complex modifications to your site.

  5. better-wp-security screenshot 5

    Free malware scan powered by Sucuri SiteCheck.

NOTE: iThemes Security makes significant changers to your database and other site files which can be problematic, so a backup is strongly recommended before making any changes to your site with this plugin. While problems are rare, most support requests involve the failure to make a proper backup before installation.

  1. BEFORE YOU BEGIN: Back up your WordPress database, config file, and .htaccess file. We recommend using BackupBuddy, our WordPress backup plugin for a complete site backup.
  2. Upload the zip file to the /wp-content/plugins/ directory
  3. Unzip
  4. Activate the plugin through the 'Plugins' menu in WordPress
  5. Visit the Security menu for checklist and options

DISCLAIMER: Under no circumstances do we release this plugin with any warranty, implied or otherwise. We cannot be held responsible for any damage that might arise from the use of this plugin.


  • Bug Fix: Fixed bug that prevented Away Mode from activating on some sites.


  • Enhancement: Added logging for failed two-factor, OAuth, and REST API authentications.
  • Enhancement: Added logging details about the source of login failures and the type of authentication that failed.
  • Enhancement: Due to improvements in tracking authentication failures, brute force attempts using alternate authentication methods are more reliably found and blocked.
  • Enhancement: The server's IP is treated as whitelisted and will not be considered for lockouts or bans.
  • Enhancement: Reduced memory usage when creating a backup.
  • Enhancement: Changed log entry description of "IP Flagged as bad by iThemes IPCheck" to "IP Flagged by Network Brute Force Protection". This should help clarify the meaning of the log entry.
  • Enhancement: Improved efficiency of the Network Brute Force Protection feature.
  • Bug Fix: Fixed bug that prevented Network Brute Force Protection from working properly on some sites.


  • Bug Fix: Removed "comodo" from the list of user agents blocked by the blacklist. This ensures that Comodo's AutoSSL feature of cPanel/WHM is able to function.
  • Updated Feature: Updated the "REST API" feature in the WordPress Tweaks section. The feature now has proper support for protecting privacy on your site without preventing the REST API from functioning.
  • Enhancement: Updated Security Check to enforce setting the "REST API" setting to "Restricted Access".


  • New Feature: Added a "REST API" feature in the WordPress Tweaks section. This new feature allows you to block or restrict access to the REST API.


  • Bug Fix: Fixed issue that could cause database backup emails to be sent without the backup zip attached.


  • Enhancement: Updated the lockouts notification email to a new design. This new design also cleaned up the translation strings to allow better translations.
  • New Feature: Added a "Protect Against Tabnapping" feature in the WordPress Tweaks section. Details of what this feature protects against can be found here:
  • Misc: Updated the description for the Lockout Period setting to indicate that the default value of 15 minutes is recommended.


  • Bug Fix: Remote IP is now correctly identified if the server is behind a reverse proxy that sends requests with more than one IP listed in a single header.
  • Bug Fix: Fixed the link for a user in the logs page so that it properly works on sites that are inside a subdirectory.
  • Bug Fix: Improved how Strong Password Enforcement works on password resets to improve compatibility with various plugins.
  • Bug Fix: Improved the logic for determining whether a user should have Strong Password Enforcement applied. This covers situations where the user may have a custom role, a customized default role, or added capabilities beyond their role.
  • Enhancement: Improved the logic for determing the requesting IP address to better handle situations where the site is behind a reverse proxy.
  • Enhancement: Strong Password Enforcement now uses a PHP port of zxcvbn to ensure that a strong password was selected.
  • Enhancement: All links in Security that have target="_blank" now have added rel attributes to protect against tabnapping.
  • Misc: Updated remaining links to instead link to in keeping with other links that were previously updated to


  • Bug Fix: Fixed data save issue that could cause multiple notification emails to be sent in a short period of time.
  • Bug Fix: Fixed issue that could cause the malware scanner to fail on sites that change the arg_separator.output php.ini value from its default value.
  • Bug Fix: Removed redundant entries in the HackRepair blacklist.
  • Bug Fix: Enabling Protect System Files in System Tweaks will now only block install.php for the current site. This fixes the issue where the setting can block installation of a site in a subdirectory.
  • Bug Fix: Fixed problem that could cause requests for iThemes Security data from iThemes Sync to fail due to large amounts of log entries.
  • Bug Fix: Scheduled backups now run if the ITSEC_BACKUP_CRON define is set with a non-boolean value.
  • Bug Fix: Replaced static references to wp-includes with the WPINC define.
  • Bug Fix: Moved blocking of query strings containing %0[0-9A-F] characters from the Non-English Characters setting to the Suspicious Query Strings setting as those characters are control code characters and are not associated with a language.
  • Bug Fix: Added escaping to some translation strings.
  • Bug Fix: Removed unused files from the WordPress Tweaks module directory.
  • Bug Fix: Fixed the Daily Digest email reversing the user and host lockout counts.
  • Bug Fix: The database backup email no longer sends from the email address configured in Settings > General. It now defaults to the same from address that the wp_mail() function uses. This will fix the mail being blocked by some mail servers due to a spoofed from address.
  • Enhancement: Updated the server config rules generated by the System Tweaks settings. They are now more consistent between Apache, LiteSpeed, and nginx. They are also more efficient and have been improved to limit accidentally blocking non-targeted requests.
  • Enhancement: Updated the database backup email to a new design.
  • Enhancement: Added a note that the Filter Request Methods setting in System Tweaks should not be enabled if the WordPress REST API is used. This is becasue the DELETE HTTP method is blocked when the setting is enabled.
  • New Feature: Added setting to block requests for PHP files in the plugins directory in System Tweaks.
  • New Feature: Added setting to block requests for PHP files in the themes directory in System Tweaks.


  • Bug Fix: Fixed issue that reported invalid counts for host and user lockouts in the daily digest email.
  • Bug Fix: Fixed issue that caused the daily digest email to be sent every day, even if no lockouts occurred and no file changes were found.
  • Bug Fix: Fixed issue that could prevent saving of File Change settings, resulting in an error messages of "A validation function for file-change received data that did not have the required entry for latest_changes."
  • Bug Fix: Fixed iThemes Security Pro logo appearing in daily digest emails.


  • Bug Fix: Removed the "Wget" user agent from the Hack Repair blacklist as it can block wp-cron jobs on some hosts.
  • Bug Fix: Fixed error "PHP message: PHP Fatal error: 'continue' not in the 'loop' or 'switch' context".
  • Enhancement: Added new Daily Digest email design.


  • Security Fix: Fixed issue where a locked out but not yet blacklisted IP/user could receive different HTTP headers when testing a valid username/password combination. Thanks Leon Atkinson of 18INT for contacting us about this issue.
  • Security Fix: Updated log output to prevent specific kinds of logged requests from displaying without sanitization. Thanks to Slavco Mihajloski for contacting us about this issue.
  • Bug Fix: The Security > Security Check link now works as expected in multisite.
  • Bug Fix: Fixed bug that could prevent the "Filter Long URL Strings" feature from working properly.
  • Bug Fix: Removed restrictions in the "Filter Long URL Strings" feature that were unrelated to request length.
  • Bug Fix: Corrected a settings description typo in Global Settings.
  • Bug Fix: Fixed bug that could result in issues authenticating over XML-RPC when the WordPress Tweaks > Multiple Authentication Attempts per XML-RPC Request setting is set to "Block".
  • Misc: Added placeholder for the Version Management module of iThemes Security Pro.
  • Misc: Updated build number to trigger some updates.


  • Bug Fix: Fixed a potential logging issue that could prevent some lockout notices from being properly logged on non-English sites.
  • Bug Fix: Prevented some notices from displaying to users who do not need to see them.
  • Bug Fix: Limited notices to only display on specific pages on the dashboard.
  • Compatibility Fix: Changed name of the $HTTP_RAW_POST_DATA variable to avoid erroneously tripping PHP 7 compatibility checks.
  • Code Cleanup: Removed legacy code that is no longer needed.
  • Enhancement: Started tracking when a user was last seen as logged in and active for future use.
  • Misc: Added a placeholder for the Pro feature "User Security Check".


  • New Feature: Added a new Security Check section on the settings page. This new feature adds a tool to quickly ensure that the recommended features are enabled and the recommended settings are used.
  • Bug Fix: Fixed the ability to remove the itsec_away.confg file in order to disable Away Mode.
  • Enhancement: The "Ban Lists" setting of Banned Users is now enabled by default.


  • New Feature: Added a new File Permissions section on the settings page to bring back the directory and file permissions listing feature found on the Security > Dashboard page of older plugin versions.
  • Bug Fix: Fixed a situation where adding a very large list of IP's in the Ban Hosts list would generate an invalid .htaccess file on some servers.
  • Enhancement: The Database Backups, Local Brute Force Protection, Network Brute Force Protection, Strong Password Enforcement, and WordPress Tweaks features are now active by default on new installations.
  • Enhancement: The WordPress Tweaks feature now uses the "Disable File Editor" setting by default on new installations.
  • Enhancement: The WordPress Tweaks feature now sets the "Multiple Authentication Attempts per XML-RPC Request" setting to "Block" by default on new installations.
  • Enhancement: Improved the styling of notices.


  • Bug Fix: Fixed SQL query for Database Backups when "Backup Full Database" is enabled.


  • Bug Fix: Fixed bug that could cause some sites to lose settings when upgrading.


  • Bug Fix: Don't rely on externally loaded MailChimp JavaScript.


  • Bug Fix: Fixed links to Settings, Logs, and creating a backup on Multisite.
  • Enhancement: The "Write to Files" setting is now enabled by default.


  • Bug Fix: Fixed error that would prevent nginx servers from being able to make use of the "Reduce Comment Spam" feature of the WordPress Tweaks module.
  • Bug Fix: Restored missing log filter for 404 Detection log entries.


  • Enhancement: New user interface with both grid and list views for managing settings.
  • Enhancement: New automatic temp whitelisting of IPs for users that manage iThemes Security settings.
  • Enhancement: Better feedback on errors when modifying wp-config.php or server config files.
  • Enhancement: Improved code efficiency of the Away Mode feature so that it takes less processing time when active.
  • Enhancement: Rather than disabling features that have invalid user input, the user now can fix the issue before saving.
  • Enhancement: Improved the efficiency of the plugin's loading code, reducing the amount of time taken to run the plugin.
  • New Feature: Global settings now has a "Show Error Codes" setting that can provide an error message's specific error code when it is enabled.
  • Bug Fix: More than one IP can now be temp whitelisted.
  • Bug Fix: Fixed a bug where some modules would be enabled or disabled when they shouldn't be after upgrading to the latest version.
  • Bug Fix: Will not send notification emails about the new login address when Hide Backend is enabled and doing an upgrade.
  • Compatibility Fix: Updated handling of wp_remote_get() responses in preparation for changes coming in WordPress 4.6.


  • Bug Fix: Throw a real 403 instead of a faked 404 for hide backend - Fixes compatability with certain plugins including WordPress SEO. Hat tip to Joost de Valk (@jdevalk) and the @Yoast team for bringing this issue to our attention.


  • Security Fix: Better caps checks for dismissal of changed file dialog - Thanks to Julio Potier for notifying us of this issue.
  • Bug Fix: Make file change warning dialog text properly translatable
  • Enhancement: Adding 'itsec_log_event' action for logged events


  • Security Fix: No longer using document.location to build 'Show Intro' link in admin - Thanks to David Lodge (Pen Test Partners) for notifying us of this issue.
  • Bug Fix: Fixed some notices when certain multisite options are used on BuddyPress
  • Enhancement: New itsec_white_ips filter to allow plugins that work with external services to whitelist service IPs


  • Bug Fix: Fixed issue that could cause a fatal error after changing the content directory.
  • Bug Fix: Updated the link to sign up for security guide download to point to a https address. This is better security and prevents warnings when submitting from a http site in some browsers.
  • Bug Fix: If a cryptographically secure log file name can't be generated, queue up log file writes until we can.


  • Bug Fix: Fixed temporary whitelisting by preventing a temporarily whitelisted IP from being locked out.


  • Bug Fix: Updated code that generates the backups and logs directories to ensure that it attempts to create the parent directory if it does not exist yet.
  • Bug Fix: Removed warnings that could be generated if the logs directory could not be created.
  • Bug Fix: Database backup files sent via email no longer have a name without an extension if zipping up the file fails.


  • Security Fix: Hardened the created backups and logs directories. Thanks to Nicolas Chatelain (SYSDREAM IT Security Services) for notifying us of this issue.
  • Security Fix: More secure backup and log file names. Thanks to Nicolas Chatelain (SYSDREAM IT Security Services) for notifying us of this issue.
  • Bug Fix: The "NGINX Conf File" setting is now properly respected, causing the generated NGINX configuration file to be stored in that location.
  • Enhancement: Generated database backup file names now contain a human-readable timestamp in the format of YYYYMMDD-HHMMSS.
  • Enhancement: Zipped database backup files no longer contain a deeply nested directory structure. Instead, they only contain the sql file.
  • Enhancement: When the "Force Unique Nickname" feature is enabled, the generated display name now uses an improved randomization function.
  • Enhancement: Improved tabbing of rules in generated nginx.conf files.
  • Enhancement: Removed the "See what's new button" as it has fulfilled its purpose.


  • New Feature: Added support for IPv6 addresses. This includes support for IPv6 in lockouts, ban hosts, and white lists.
  • Bug Fix: Fixed issue that could cause username-based lockouts to fail for long usernames.
  • Bug Fix: Fixed issue that prevented wildcard IP ranges from being blacklisted or whitelisted.
  • Bug Fix: Removed warnings generated when the Away Mode module is disabled and iThemes Sync contacts the site.
  • Enhancement: Updated descriptions of valid IP and IP range formats for the Lockout White List and the Ban Hosts settings.
  • Enhancement: Updated host entries in log details to link to rather than This is because does not support IPv6 addresses.
  • Enhancement: Updated some translatable strings relating to blacklisting and whitelisting to allow for better translations.
  • Enhancement: Added details about how wildcard IP ranges are converted to CIDR format (this improves performance).


  • Bug Fix: Comparisons of IPv4 addresses and ranges now include the IP's at the edge of the ranges.
  • Bug Fix: IPv4 tests now work as expected when deciding if a blacklisted IP or range overlaps a whitelisted IP's and ranges.
  • Bug Fix: Fixed styling issue that affected the display of the horizontal tabs on settings pages in WordPress 4.5.
  • Bug Fix: Replaced old module sorting order in settings screens.
  • Bug Fix: Fixed PHP 7 compatibility issue that triggers the following error: "Uncaught Error: Call to undefined function mysql_get_client_info()".
  • Bug Fix: Fixed warnings and errors that could occur when deleting the plugin.
  • Bug Fix: Fixed warning that could occur on a failed login when Local Brute Force Detection is disabled.
  • Bug Fix: All data added to the options table by iThemes Security is removed on uninstall.
  • Bug Fix: Fixed the cause of the following warning: call_user_func_array() expects parameter 1 to be a valid callback, class 'ITSEC_SSL_Setup' does not have a method 'execute_deactivate'
  • Enhancement: When a lockout is being executed, wp_logout() will only be called if the current page request comes from a logged in user. This prevents plugins that log logout events from logging log outs from unknown users.
  • Enhancement: Improved the descriptions used for some of the data displayed in the "System Information" section of Security > Dashboard.
  • Enhancement: Added "Use MySQLi" entry to the "System Information" section of Security > Dashboard to show whether the MySQLi driver is enabled.
  • Enhancement: Updated the "SQL Mode" entry in the "System Information" section of Security > Dashboard to show the full details if that value is set.
  • Enhancement: Improved code that ensures that tables and options table entries created by iThemes Security are removed on uninstall only when no other iThemes Security plugin is active.


  • Security Fix: Fixed PHP code that could allow AJAX requests to list directories and files outside the directory structure of the WordPress installation. Note that these AJAX requests required a logged in user with admin-level privileges. This vulnerability was unable to be exploited by non-privileged or anonymous requests.
  • Bug Fix: Updated the SSL feature to use 301 redirects rather than 302 redirects.
  • Bug Fix: Fixed situations where security nonces would incorrectly trigger "security check" errors when enabling specific combinations of features on the settings page.
  • Bug Fix: Enabling scheduled database backups and setting a backup interval of 0 days no longer results in a backup being created on every page load.
  • Bug Fix: Module-specific data is properly initialized/removed on plugin activation, deactivation, and uninstallation.
  • Feature Removal: Removed the "Security Status" portion of the Security > Dashboard page. This is in preparation for a new tool that provides suggestions tailored to the site and server that Security is running on.
  • Enhancement: Updated the way the feature modules function in order to allow them to be redesigned in a more efficient and flexible way for future releases.
  • Enhancement: Updated the File Change Detection feature to attempt a max memory limit of 256M rather than 128M as some users experience out of memory issues which could be fixed with the higher memory limit.
  • Enhancement: Updated the Database Backup feature to attempt a max memory limit of 256M rather than 128M as some users experience out of memory issues which could be fixed with the higher memory limit.
  • Enhancement: Added localization support for some non-localized strings.
  • Enhancement: Improved detection of multiple active versions of iThemes Security.


  • Enhancement: Removed Yandex and Sogou from the HackRepair blacklist as they are legitimate search engine bots.
  • Enhancement: Added detailed information about Sucuri malware scan errors to Malware Scan log details.
  • Bug Fix: No longer enables display of database errors when an event is logged.


  • New Feature: Added "Multiple Authentication Attempts per XML-RPC Request" setting to the WordPress Tweaks section. When this setting is set to "Block", iThemes Security will block brute force login attacks against XML-RPC as described by Sucuri in this blog post:
  • Enhancement: Updated text describing the XML-RPC setting in the WordPress Tweaks section to better explain what the setting is for and which setting is recommended.
  • Enhancement: Improved IP detection when proxy detection is active by processing the header set by CloudFlare.
  • Enhancement: Added a filter named itsec_filter_remote_addr_headers which can be used to change which headers are searched for the client IP. This allows for tailoring the IP detection for specific reverse proxies and load balancers.
  • Bug Fix: Updated the Banned Users settings to no longer add a newline to the Ban Hosts input each time the settings page is saved.
  • Compatibility Fix: Updated code triggered by the ITSEC_TEST_MALWARE_SCAN_DISABLE_SSLVERIFY define. This avoids plugin compatibility issues that prevent disabling the SSL peer verification.


  • Compatibility Fix: Added support for ITSEC_TEST_MALWARE_SCAN_DISABLE_SSLVERIFY. Setting it to true can bypass "SSL peer certificate or SSH remote key was not OK" errors on servers with bad SSL configurations.


  • Compatibility Fix: Changed translation domain from it-l10n-better-wp-security to better-wp-security. This change was necessary in order to be included in the project.
  • New Feature: Added malware scanning provided by Sucuri SiteCheck.


  • Feature Removal: Removed the "Remove WordPress Generator Meta Tag" and "Display Random Version" features as they are not recommended due to limited security benefit and creating compatibility issues.
  • Enhancement: Added the ability to undo the Content Directory change.
  • Bug Fix: No longer tries to load a non-existent JavaScript file for the salts module.
  • Bug Fix: Fixed an issue with one-time database backups on multi-site installs.
  • Bug Fix: Fixed issues related to locating .htaccess or nginx.conf files on sites with WordPress installed in a separate directory.
  • Bug Fix: Fixed issues with PHP blocking in uploads directory not working with certain non-standard setups.
  • Bug Fix: Minor change to fix a warning that can appear after changing the Content Directory.
  • Bug Fix: Fixed a PHP fatal error that could occur on some servers when adding a ban to the site's .htaccess or nginx.conf file.


  • Feature Removal: Removed the malware scanning features as VirusTotal no longer supports scanning from WordPress sites. A replacement is in the works.
  • Bug Fix: The close button on the "Thank you for activating iThemes Security" message now appears in the correct location.
  • Bug Fix: Removed the site's URL being displayed in the "Replace jQuery With a Safe Version" setting details.
  • Bug Fix: Updated .htaccess rules to be compatible with Apache 2.4 without the auth compat module.
  • Bug Fix: Enabling and disabling the "Remove File Writing Permissions" setting now updates the file permissions properly.
  • Bug Fix: Web servers that cannot be recognized now default to Apache.
  • Enhancement: Updated the hackrepair lists.


  • Enhancement: Updated to use new file modification API.
  • Enhancement: Added blacklist for Nginx.
  • Enhancement: Improved Nginx support for System Tweak features.
  • Enhancement: Updates to wp-config.php, .htaccess, and nginx.conf files now support more systems.
  • Enhancement: Combined the "Force SSL for Dashboard" and "Force SSL for Login" settings to a unified "Force SSL for Dashboard" setting. This is due to how the FORCE_SSL_LOGIN define was deprecated in WP 4.0.0.
  • Enhancement: Added comments to wp-config.php, .htaccess, and nginx.conf updates that indicate which settings affect the specific entries.
  • Enhancement: Added translation support for previously static strings, including strings used for comments in wp-config.php, .htaccess, and nginx.conf files.
  • Enhancement: Improved generation of valid referers for use by the Reduce Comment Spam feature.
  • Enhancement: Broadened the server support in the import settings code.
  • Enhancement: Added new library classes for managing files, directories, and config files.
  • Enhancement: Improved error messages for when file writes fail.
  • Enhancement: Improved error messages for when export file creation fails.
  • Enhancement: Improved error messages for situations when the .htaccess, nginx.conf, or wp-config.php files may need to be manually updated.
  • Bug Fix: Added support for Apache 2.4 without the access_compat module.
  • Bug Fix: Fixed condition where forcing SSL on front-end pages could cause infinite redirection loops with specific setups of nginx to Apache reverse proxy servers.
  • Bug Fix: Fixed scenarios where the site would be forced to load via https but scripts, stylesheets, and images would load via http.
  • Bug Fix: Fixed invalid nginx.conf rule generation for the Reduce Comment Spam feature.
  • Bug Fix: Corrected invalid parsing of some IP formats in Ban Hosts list.
  • Bug Fix: Improved error handling when reading or updating config files.
  • Bug Fix: Fixed various warnings that would display when changing settings.
  • Bug Fix: Fixed a situation where creation of a zipped export file would fail, but an email would still be sent as if the zip was created successfully.


  • Security fix for XSS vulnerability. Thanks to Ole Aass (@oleaass) for finding and disclosing this vulnerability to the iThemes Security team.


  • Enhancement: Translation files can now be stored in WP_LANG_DIR/plugins/better-wp-security/ so that translation files will not be overwritten on when the plugin updates.
  • Bug Fix: The file permissions check will no longer list a warning if the plugins directory has permissions of 755.
  • Bug Fix: Fixed incorrect text describing the "Backups to Retain" database backup setting.


  • Bug Fix: Fixed regression that prevented adding wildcard IP's in the form of 'XXX.XXX.XXX.*' to Ban Hosts.
  • Bug Fix: When a file scan is run from iThemes Sync, a warning will no longer be added to the site's error log.


  • Enhancement: Minor refactoring for performance and scalability.
  • Enhancement: Add ITSEC_BACKUP_CRON constant to replace plugin's backup scheduler with wp_cron.
  • Enhancement: Add dashboard reminder to salts to prompt for periodic salt changes.
  • Enhancement: Limit the number of lockouts that can be displayed at any given time in the dashboard.
  • Fix: Make sure header error messages are suppressed when performing a lockout.
  • Fix: Fix error message from missing login information when displaying lockouts.


  • Fix: Quick banning IPs will now work correctly if existing htaccess rules are in place
  • Fix: minor bug fixes and typo corrections.


  • New Feature: Change WordPress Salts
  • Enhancement: Refactored ITSEC_Lib and ITSEC_Files for better usability and new functions to make changing salts possible


  • Fix: Fixed typo on file change warning emails.
  • Fix: Fixed duplicate module listsing on log page dropdown
  • Fix: Fixed missing lockouts on iThemes Sync dashboard


  • New Feature: Add file/folder permissions check to Dashboard
  • Fix/Enhancement: Code refactoring of numerous modules
  • Fix: Hiding available updates in multi-site will no longer block wp-cli from detecting updates.
  • Fix: Removed leftover JavaScript debugging statements.


  • New Pro Feature: Google reCAPTCHA
  • Fixed: Removed unneeded fields in malware


  • New Pro Feature: wp-cli integration
  • New Feature: Temporarily whitelist your IP address via iThemes Sync
  • New Feature: Override proxy IP detection
  • New feature: Hide admin bar (if desired)
  • New Feature: Perform file scan via iThemes Sync
  • New Feature: Perform malware scan via iThemes Sync
  • Enhancement: Added filter to allow for custom log pages
  • Enhancement: Added debug constant to help troubleshoot multiple emails
  • Enhancement: Added constant to force digest emails via wp-cron instead of custom timing
  • Fixed: Various missing variable fixes were added
  • Fixed: MySQL errors on MySQL 5.6 during activation were fixed.
  • Fixed: HTML emails now contain HTML tag
  • Fixed: Lockout count in emails should now be more accurate
  • Fixed: Make sure to esc urls on SSL redirects (unreported minor security fix)
  • Fixed: Added filters to SSL to try to catch more assets
  • Fixed: Suspicious query strings feature should no longer conflict with many plugins
  • Fixed: File change detection should no longer throw an error if opendir failed


  • Fixed: App passwords in two-factor authentication will now correctly authenticate themselves.


  • New Pro Feature: Temporary privilege escalation


  • Enhancement: More time/date information is now shown in the logs for file change scanning
  • Fixed: Filechange will no longer show false positives with every change in DST (although this will cause run round of such notifications on update).
  • Fixed: Link to malware scanning logs will work.


  • New Pro Feature: File change scanning will now compare WordPress core files to the repository.
  • Fixed: Make sure php_gid is always defined to prevent error message if the function is not usable.
  • Fixed: Link to BackupBuddy in admin bar will now work correctly.


  • New Pro Feature: Dashboard widget. Get important information and handle user blocking right from the WordPress Dashboard.
  • Fixed: When using wp-cron for file checking cron check will run daily instead of hourly.


  • Fixed: Error on line 1312 when iThemes API is actived with version 4.4.15


  • Enhancement: File change summary emails are more concise and will avoid extra information
  • Fixed: Hide backend will now work with Jetpack's JSON API authorization.
  • Fixed: Option to change user ID 1 will correctly disappear when not present
  • Fixed: Removed empty user agent from default blacklist to avoid issues with external services
  • Fixed: File change folder check will no longer scan directories outside of ABSPATH for any reason
  • Fixed: Adding define( 'ITSEC_FILE_CHANGE_CRON', true ); to wp-config.php will cause the file change scanner to only run once daily via wp-cron.
  • Fixed: Compatibility issue where strong password enforcement could cause an error if passwords are changed outside of the core of WordPress
  • Fixed: Lost password url should now be correct on multisite.
  • Fixed: fixed duplicate ID issue from user_id_exists calls.
  • Fixed: Fixed an error in the lockout module that results in an error for users of multisite
  • Fixed: Notification emails will no longer send if not turned on
  • Fixed: Duplicate messages will not be allowed in digest emails
  • Fixed: Duplicate digest emails will have a far lesser chance of sending
  • Fixed: User lockout count in email notifications will now be correct


  • Enhancement: Default log rotation changed from 30 days to 14 days
  • Fixed: All logs page will properly display even with 50,000+ entries in the log


  • Enhancement: Updated copy on Virustotal API key to indicate that a private key is not needed.
  • Fixed: More complete check for user id when resettings password will prevent undefined index login on line 62 error.
  • Fixed: Fixed a bug that prevented the api key from saving after resetting the key.
  • Fixed: Removed errors that could occur due to the use of custom capabilities and roles.


  • New Pro Feature: Automatically generate strong passwords
  • New Pro Feature: Password expiration
  • Enhancement: Added a link to the actual timezone settings in the general settings page (instead of the top of the page)
  • Fixed: When an invalid log directory is detected it will not fail but will instead reset it to the original.
  • Fixed: No more duplicate digest emails
  • Fixed: No more "Array" message appearing in digest emails from user lockouts
  • Fixed: HTML in traditional file log emails will display correctly.
  • Fixed: From address in notification emails will now display correctly.
  • Fixed: MySQL errors will no longer appear for missing iThemes Security tables. Instead it will attempt to recreate them.
  • Fixed: Fixed missing "no changes" text in file change emails.
  • Fixed: Formatting of individual file change emails will now work.
  • Fixed: Fixed a bug in ban users user agents that would cause a crash on Apache if the user agent contained a space
  • Fixed: When an invalid backup directory is detected it will not fail but will instead reset it to the original.


  • Fixed: fixed possible undefined api_error variable on line 316 if WordPress believes the email address is invalid.
  • Fixed: failed calls to various apis will no longer throw a php error on failure.


  • Fixed: Fixed typos in digest email.
  • Fixed: Fixed typos in default network lockout message.
  • Fixed: Force stylesheet reload for new nags and other items by pushing plugin build number to stylesheet registrations


  • Fixed: Fixed an error that could occur on multisite due to a missing "core" object


  • New Feature: Add IPCheck Brute Force API integration
  • New Feature: Add ability to receive a daily digest email instead of individual emails per event.
  • Enhancement: Added "Go Pro" menu item to admin menus.
  • Enhancement: Added button to release IP address from temporary whitelist.
  • Enhancement: Reordered sidebar items to make it easier for the user to get to the information they need from iThemes
  • Fixed: introduction screen should now display completely on computers with low-resolution screens.
  • Fixed: multisite bug that still showed BackupBuddy (if present) even though BackupBuddy is not multisite compatible.
  • Fixed: Scrolling table of contents should not cover side-bar items on pro.
  • Fixed: When changing admin user login form will no show the correct path when WordPress is not installed in the same directory as the website address.
  • Fixed: The plugins_loaded hook which fires on logout will now fire later to improve compatibility with iThemes Exchange
  • Fixed: multisite bug that still showed BackupBuddy (if present) even though BackupBuddy is not multisite compatible.
  • Fixed: Added an extra flag in an attempt to reduce duplicate file-change detection executions.
  • Fixed: Added missing index.php files to directories that were missing them to ensure no information could be attained if directory is turned on.
  • Fixed: Make sure hide backend rewrite rules are consistent with the correct location of the WordPress login page when WordPress is not installed in the main website folder.
  • Fixed: File locking will try to create the iThemes Directory if it isn't already present rather than just saying a lock could not be attained.
  • Fixed: Fixed an error whereas an empty filter could display an error when building the log tables.


  • Low Severity Security Fix - Lack of access control patched - Sucuri (reported 19Aug2014)
  • Fixed an error in XMLRPC blocking when $username variable cannot be found


  • Remove error message if WP_Error is returned with wp_remote_post in malware scan
  • Fixed bug where away-mode was still enabled after one-time period has passed which could result in away mode activating when it should not
  • Ensure that individual module updates fire when updating the plugin
  • Added function to retrieve current URL from the front-end
  • Fixed error in brute force protection that counts valid logins with XML-RPC as bad logins towards a brute force lockout


  • Updated descriptions an instructions in malware scheduling to make the feature easier to use
  • Numerous typo corrections throughout dashboard
  • Clean up notifications for file change detection and malware scanning


  • Fixed an accidental disabling of file change scans introduced in 4.3


  • Added on-demand malware scanning for the homepage
  • Added better URL validation to ITSEC_LIB
  • Added exception for to prevent a local server from being locked out of a site during wp-cron or other calls
  • Added button to quickly add current IP address to permanent whitelist
  • Added appropriate message for logs page when logs are not available due to "file only" logging being selected
  • Fixed Error in 404 scanning if path field was empty
  • Updated's default blacklist
  • Modified support reminder to ask users to upgrade rather than donate
  • Use get_home_path() in place of ABSPATH to account for WordPress core in a different directory than wp-content
  • Use PHP comments in index.php file to account for the possibility of a scan including the file in which case the html comment could result in an error
  • Fixed various typos throughout the plugin dashboard
  • Added ability to prevent file change scanning from running on a given page load by defining ITSEC_FILE_CHECK_CRON to true
  • Cleaned up file change logging reports to me more clear when no files have been changed
  • Added feature to immediately ban user "admin" when no user "admin" exists on the site and a host tries to log in with it anyway
  • Added blank line to end of all textarea input to make it easier to input data
  • Added brute force checks to XMLRPC calls to prevent brute force attacks against XMLRPC


  • Fixed a bug preventing file-change scanning from running when manually executed from the "Logs" page
  • Fixed a bug where an error could be generated if the saved files from the file change feature weren't properly saved
  • Fixed comment approval email links to make sure they work when a user is not logged in and hide backend is in effect
  • Fixed an issue that was preventing an IP from being permanently banned due to too many lockouts
  • Updated .htaccess rules for an IP that has been banned from too many lockouts to be more effective in more hosting environments
  • Fixed responsive issues in iThemes notifications that prevented notifications from being easily read on small screens.


  • Fixed error for missing function in hide backend


  • Fixed an error that could cause a 404 on the admin with hide-backend enabled.


  • Fixed error on line 55 of class-itsec-four-oh-four.php that could occur under certain circumstances


  • Don't filter hide backend hash until after schema redirect
  • don't send file change email on first scan
  • Fixed verbage when changing login URL
  • Modified ban users rewrites for apache. Should work with proxy and if setenvif isn't enabled.
  • Fixed get_module_path to prevent 404 errors on plugin assets
  • Fixed misplaced parenthesis forcing computer to always display it isn't whitelisted
  • Updated readme.txt


  • Added call to settings import/export module (pro)
  • Added button to restore default log location
  • Don't automatically load front-end classes in dashboard pages
  • Avoid errors on save if htaccess is completely empty
  • Only register activation/deactivation/install hooks in admin
  • Make sure temporary white-list is always available
  • Improved check for white-listed IP during lockout
  • Added ability to use constant to override server detection
  • Don't remove extra line spaces in .htaccess
  • Minor reformating and typo fixes
  • Make sure front-end classes are available only when needed
  • Fixed default types in file change settings
  • Added file type exclusion to 404 settings
  • Allow for Jetpack SSO to function with suspicious queries turned on
  • Use WordPress' PclZip for backup zip


  • Make sure backup disables itself when other backup solutions are present
  • Fix tweet link
  • Minor fixes and cleanup
  • Added call to two-factor module


  • Consolidate white lists into one option
  • Fix IP mask calculations
  • Fix NGINX IP range blocking
  • Update modules to use new logging
  • Minor refactoring
  • Add metabox for iThemes Sync
  • Update jQuery version in tweaks
  • Shortened file change array names to save space
  • Fixed links in lockout emails
  • Fixed IP mask calculations
  • Add call to pro user-logging module
  • Add ability to temporarily whitelist an IP address


  • Don't allow empty file types in file change exclusions
  • Add Sync integration for Away Mode
  • Minor typo and other fixes
  • Better cache clearing and formatting updates
  • Make sure rewrite rules are updated on this update
  • Remove extra (settings) items from admin bar menu (leave logs and important information)
  • Add WP_CONTENT_DIR to system information on dashboard
  • Move support nag to free version only and make sure it properly redirects
  • Fix check for presence of BackupBuddy to work with BackupBuddy >=
  • Clean up details views on log pages
  • Add username column to temp and lockouts tables
  • Lockout usernames whether they exist or not
  • Don't duplicate lockouts
  • Fixed malformed lockout error on lockout message
  • Don't display a host lockout when none exists
  • Add Sync integration to release lockouts
  • Improved reliability of brute force user lockouts


  • Miscelaneous typos and other fixes
  • Remove extra file lock on saving .htaccess, nginx.conf and wp-config.php. Only flock will be used in these operations
  • Fixed a function not found error in the brute force module
  • Improved content filtering in SSL so that more images and other content will link with appropriate protocol.
  • Fixed hide backend in cases where a lockout has expired
  • Miscelaneous typos and other fixes.


  • Make sure "remove write permissions" works
  • Better descriptions on white list
  • Add pro table of contents if needed
  • Make sure security admin bar item works
  • Make sure lockout message only happens when needed
  • Suppress errors on readlink calls
  • Make sure class is present for permanent ban
  • Make sure white list is an array
  • Fix white listed IPs not working
  • Log when Away-mode is triggered
  • Make sure away mode file isn't accidently deleted
  • Make sure away mode doesn't even allow access to the login form (as it didn't in 3.x)
  • Enhance warnings on "Change content directory" settings
  • Better descriptions on white lists
  • Fixed XMLRPC label
  • Better XMLRPC Dashboard status
  • Don't allow logout action on wp-login.php with hide backend
  • Better check for variable in SSL admin


  • XMLRPC soft block should now work with WordPress mobile app
  • Make sure uploads directory is only working in blog 1 in multisite
  • Better checks for run method in module loader


  • Make sure backup directory is present before trying to use it
  • Make sure backup file method is respected on all backup operations
  • Added ability to limit number of backups saved to disk
  • Minor typo and other fixes
  • Only load front-end classes as needed
  • Add link to free support at .org forums
  • Remove select(?ed) from suspicious query strings for 3.9 compatibility
  • Fixed domain mapping issue (requires domain mapping plugin)
  • Remove array type errors on 404 pages
  • Remove remaining create function calls
  • Make sure logs directory is present before trying to use it
  • Log a message when witelisted host triggers a lockout
  • Don't create log files if they're not going to be used
  • Add pro tab if pro modules need it
  • Upgrade module loader to only load what is needed


  • Fix sorting by count in 404 Logs
  • Minor code cleanup
  • Make sure all wp_enqueue_script dependencies are in proper format
  • Reduce priority of hide backend init for better compatibility with other plugins
  • SSL now logs users out when activating to prevent cookie conflicts
  • When activating SSL Log out the user to prevent cookie conflicts
  • Use LOCK_EX as a second file locking method on wp-config.php and .htaccess
  • Minor code cleanup
  • Make sure all wp_enqueue_script dependencies are in proper format


  • Added ability to "soft" block XMLRPC to prevent pingback vulnerability while still allowing other access
  • Updated "Suspicious queary strings" to not block plugin updates
  • Update NGINX comment spam rewrite rules to better work with multi-site domain mapping
  • Move 404 hook in hide backend from wp to wp_loaded
  • Make sure super-admin role is maintained on multi-site when changing user id 1 and admin username at the same time
  • Make sure all redirects for hide backend and ssl are 302, not 301
  • Better resetting of SSL and disallow file editor on deactivation to account for more states
  • Make sure hide backend works with registration
  • Minor copy and other fixes
  • Update nginx rewrite rule on comment spam when domain mapping is active
  • Added the ability to disable file locking (old behavior)
  • Better file lock release (try more than 1 method) before failing
  • Don't automatically show file lock error on first attempt
  • Added Spanish translation by Andrew Kurtis


  • Clean up away mode to prevent lockouts on update or other points


  • Make sure unset admin user field remains if the other setting has been fixed
  • Removed admin user from settings table of contents
  • Make

Why does iThemes Security require the latest WordPress version? Can't I use a slightly older version?

  • One of the best security practices for a WordPress site owner is keeping software up to date. Because of this, we only test this plugin on the latest stable version of WordPress and will only guarantee it works in the latest version.

Will this plugin completely stop all attacks on my site?

  • No. iThemes Security is designed to help improve the security of your WordPress installation from many common attack methods, but it cannot prevent every possible attack. Nothing replaces diligence and good practice. This plugin makes it a little easier for you to apply both.

Is this plugin only for new WordPress installs or can I use it on existing sites, too?

  • Many of the changes made by this plugin are complex and can break existing sites. While iThemes Security can be installed on either a new or existing site, we strongly recommend making a complete backup of your existing site before applying any features included in this plugin.

Will this plugin work on all servers and hosts?

  • iThemes Security requires Apache or LiteSpeed and mod_rewrite or NGINX to work.
  • While this plugin should work on all hosts with Apache or LiteSpeed and mod_rewrite or NGINX, it has been known to experience problems in shared hosting environments where it runs out of resources such as available CPU or RAM. For this reason, it is extremely important that you make a backup of your site before installing on any existing site. If you run out of resources during an operation such as renaming your database table, you may need your backup to be able to restore access to your site.
  • Finally, please make sure you have adequate RAM if you plan to use the file change detector or make large backups.

Does this work with network or multisite installations?

  • Yes. We're in the process of developing more documentation, so we'll update this as soon as it's ready.

Can I help?

What changes does this plugin make that can break my site?

  • iThemes Security makes significant changes to your database and other site files which can be problematic for existing WordPress sites. Again, we strongly recommended making a complete backup of your site before using this plugin. While problems are rare, most support requests involve the failure to make a proper backup before installation. DISCLAIMER: Under no circumstances do we release this plugin with any warranty, implied or otherwise. We cannot be held responsible for any damage that might arise from the use of this plugin.
  • Note that renaming the wp-content directory will not update the path in existing content. Use this feature only on new sites or in a situation where you can easily update all existing links.
  • Fixing iThemes Security Lockouts
  • What is Changed By iThemes Security

I've enabled the Enforce SSL option, and it broke my site. How do I get back in?

  • Open your wp-config.php file in a text editor and remove the following 2 lines:
  • define('FORCE_SSL_LOGIN', true);
  • define('FORCE_SSL_ADMIN', true);

Where can I get help if something goes wrong?

  • Official support for this plugin is available for iThemes Security Pro customers. Our team of experts is ready to help.

Free support may be available with the help of the community in the support forums (Note: this is community-provided support. iThemes does not monitor the support forums).

Version 6.1.1

Requires WordPress version: 4.5 or higher

Compatible up to: 4.7.2

Last Updated 09 Feb 2017

Date Added: 23 Oct 2010

Plugin Homepage


4.7 stars
3799 ratings


Not Enough Data

Works: 0
Broken: 0