preloader

iThemes Security plugin review and common issues

iThemes Security is used for hardening login, scanning files, and blocking common attacks. In most cases, it fits business sites better than a custom build done too early. A common issue is that firewall rules block valid users or admin actions. This usually happens when strict rules create false positives on custom sites. It can save time, but it still needs testing on a staging site before major changes go live. From experience, iThemes Security works best when you keep the setup focused and avoid overlapping plugins.

iThemes Security plugin review and common issues
Official Plugin Page ↗ Get Help With This Plugin

What is iThemes Security plugin?

iThemes Security has been rebranded as Solid Security by SolidWP (formerly iThemes, now under StellarWP/Liquid Web). It is one of the older WordPress security plugins, known for its approach of focusing on hardening WordPress installations — reducing the attack surface — rather than on malware detection or cleanup. The free version at WordPress.org covers login protection, brute force defense, file change detection, database backups, two-factor authentication, and a security check dashboard.

Solid Security Pro adds vulnerability scanning, automatic version management, trusted device recognition (flags new devices logging in as suspicious), passkey authentication (magic links and passwordless login), geographic IP blocking, and the Solid Central dashboard for managing multiple sites. The rebranding from iThemes to SolidWP brought a refocused positioning as part of a three-product suite: Solid Security, Solid Backups (formerly BackupBuddy), and Solid Central (formerly iThemes Sync).

One significant concern with Solid Security in production use: the plugin’s lockout mechanism can inadvertently lock administrators out of their own sites. This is documented in community forums and happens most often when login URL customization conflicts with admin authentication flows on certain hosting configurations. Testing on staging before deployment and keeping a server-level access method available is advisable.

Pricing starts at $99/year for Solid Security Pro on a single site. For teams that want the full SolidWP suite (security, backups, and management), the Solid Suite bundle is the more cost-effective option.

Need Help With iThemes Security Setup, Troubleshooting, or Customization?

Need help with iThemes Security? Whether you are dealing with errors, broken functionality, styling problems, plugin conflicts, or advanced customization, we can help you fix the issue and get the plugin working properly on your WordPress site.

Get iThemes Security Expert Help

Key Features

  • Brute force protection and login attempt limiting
  • Custom login URL to obscure wp-login.php
  • Two-factor authentication (TOTP)
  • File change detection for core files
  • Database backup scheduling

Pros & Cons

Pros

  • Strong hardening-focused approach that reduces attack surface
  • Two-factor authentication included in free version
  • Trusted device recognition is a useful login anomaly detection feature

Cons

  • Login lockout mechanism can accidentally lock admins out of their own sites
  • Rebranding from iThemes caused confusion and access issues for some existing customers

Free vs Premium

Free version covers login protection, 2FA, file change detection, and database backups. Solid Security Pro ($99/year single site) adds vulnerability scanning, auto version management, trusted device recognition, passkeys, geographic blocking, and Solid Central access.

Common Problems & Fixes

I got locked out of my WordPress admin after installing Solid Security — how do I regain access?

If Solid Security’s brute force protection or login URL change has locked you out, regain access via server. Connect via FTP or your hosting file manager, navigate to wp-content/plugins/ and rename the solid-security-pro or ithemes-security-pro folder (e.g., append -disabled). This deactivates the plugin without needing admin access. You can then log in normally, re-enable the plugin, and reconfigure the lockout settings more conservatively.

Why is Solid Security's file change detection flagging files that have not been modified?

File change detection compares current file hashes against a stored baseline. If file timestamps changed (e.g., due to a hosting environment refresh, caching system, or backup restore), the scanner may flag unchanged files. Rebuild the file integrity baseline in Solid Security → Site Scans after any major event like a plugin update, backup restore, or hosting migration to reset the comparison point.

Why is the Solid Security custom login URL not working after setup?

Custom login URLs work via .htaccess rules. If the custom URL returns 404 or redirects incorrectly, check that your .htaccess file was updated correctly and that your hosting supports .htaccess overrides. On Nginx servers, .htaccess rules do not apply — server-level Nginx configuration is required instead, and the custom login URL feature may not function without hosting support.

Customization & Developer Notes

How do I set up two-factor authentication for all admin users in Solid Security?

Go to Solid Security → Users → Two-Factor Authentication. You can require 2FA by user role — set admin and editor roles to require TOTP or email-based 2FA. Users will be prompted to set up their 2FA method on their next login. Trusted device recognition (Pro) lets users skip 2FA on recognized devices after the first setup.

Can Solid Security block login attempts by country?

Yes, with Solid Security Pro. Geographic IP blocking is in the Pro settings under the Firewall section. You can block login access from specific countries or restrict admin access to allowlisted countries. Free users can manually block specific IP addresses but cannot block by geography.

Frequently Asked Questions

Is Solid Security (iThemes Security) the same as before the rebranding?

The core functionality is the same plugin, now under the Solid Security name and SolidWP branding. Existing iThemes Security Pro licenses were migrated to Solid Security Pro. The features and codebase are continuous — the rebrand reflects the repositioning of the company, not a new plugin.

Does Solid Security scan for malware?

Solid Security Pro includes vulnerability scanning (checking installed plugins and themes against known vulnerability databases) but does not perform deep malware code scanning. For malware detection and removal, Wordfence, MalCare, or Sucuri are more appropriate tools.

Can I use Solid Security on WooCommerce stores?

Yes, but test carefully. Login URL customization and login attempt limiting can interfere with WooCommerce’s checkout login flow if not configured correctly. Test the entire checkout process including guest checkout and account login after configuring Solid Security on a WooCommerce site.

What is the difference between Solid Security and the Solid Suite bundle?

Solid Security is the security plugin alone. Solid Suite bundles Solid Security Pro, Solid Backups Pro (WordPress backup), and Solid Central (remote multi-site management) at a discounted price compared to purchasing each separately. For teams managing multiple WordPress sites who need all three functions, Solid Suite is the most cost-effective path.

Need an iThemes Security Developer?

Find a vetted WordPress developer specializing in iThemes Security. From setup and configuration to custom iThemes Security development — get expert help on WPWizzy.
Get a Free Estimate

Ready to hire your WordPress developer?

WPWizzy connects you with vetted freelance WordPress developers from the Codeable network — the top 2% of WordPress experts worldwide, , you can get a free no-obligation project estimate before hiring. Every developer is carefully screened, backed by Codeable’s satisfaction guarantee, and rated by real clients based on completed WordPress projects.

Pick one option and we’ll take you to the right next step.

After submitting your request, up to three WordPress developers may review your project and ask a few questions to better understand the issue.
This step helps us define the scope of work and provide an accurate estimate. Most projects receive a response within 24 hours.
Providing a few key details about your website or the problem will help us respond faster. There is no obligation to proceed with the project.