Wordfence vs iThemes

I know cybersecurity, but I’m not as fluent in wordpress security so I’m looking at plugins. I’m debating between Wordfence and iThemes Security. I want something that will scan for issues on a regular basis (free version preferably) and something that I can get either a stand alone report on a monthly basis or the report added to the Pro Reports I run monthly on a client site.

For someone who knows very little about Wordpress Security, which would you recommend? It seems that the only advantage to Wordfence I can see is the WaF, but my web host gives me a firewall anyway.

Does anyone know if iThemes does scanning on it’s own on the free version? I know you can schedule scans on the paid version.

How then do we get a report from either of them, and which would be better for my small business clients?

I’m using Wordfence (free version) for years on all (about 240) websites I maintain. I’ve never used iThemes myself, but have cleaned multiple hacked sites that were using iThemes and were still hacked. I’ve also fixed a couple of sites where my clients were locked out by iThemes (not just based on their IP).
Wordfence has a great team, good documentation and a very rich YouTube channel:

I’m not using the reports extension, because my clients just trust me that I do my job and don’t bother them with things they shouldn’t worry about. But if I say this correctly Wordfence information should be available for reports. Others can tell you more about that.


Can I pick your brain about your setup? Do you have the WAF turned on? I heard it runs on my server and eats resources. Can we compare what features you have enabled and how you are reporting? Right now I get a daily email but that is just because I’m testing it.

WAF is enabled and optimized, so it’s loaded before WP is loaded. That should use less resources. In the past Live traffic was setup by default to log all traffic and that caused a big load ofcourse, so I’ve always set that to Security only, which is the default for a couple of years now.
I’m running 2 rather small VPS with 20-30 sites each, with Wordfence on every site. I’m monitoring the load on these servers and Wordfence is no issue.

Another thing I change in the settings is the Brute Force Protection. This is set by default to 20 logins, 20 password recovery attempts, within 4 hours, results in a block of 4 hours. My setup on every site is 5 logins, 3, password recoveries, within 30 minutes, results in 2 months block.

The rest of the settings are mostly default, but you can tweak it as you like. On YouTube there are video’s that explain every setting.

As I said before I’m not reporting. Or do you mean the notifications from Wordfence? I’m sending the High and Critical events to Slack by using Wordfence Central (also free). Everything can be tweaked to what suits your way of working.

Thanks for the tips. Sorry I mis-read your reply I thought you said you use the report, not that you are not using. My bad. Thanks for the help. I never really thought about it before if my clients even read the reports I send.

1 Like

I just ran Wordfence against my site as a quick test. it came back with this result. I have six sites I’m testing it on an so far I found only one result on most of them. On my main site I find this. Any ideas?

These files look like backups or something. You can go to the details of each file and view it. That might give you an idea if there is really malware in it or they are just backups (that shouldn’t be there). In the end you should delete these files, because they don’t belong in the wp-admin folder.

If these files are backup files, you can also check the timestamp when they were created/changed and try to figure out what happened at that moment.

I use iThemes Security on all of our WP sites (~150). I’ve never had a compromised site.

I’m comfortable with iThemes because our server is using Imunify360 (firewall) and modsecurity. I’m relying on our server for the firewall rules and iThemes for extra hardening measures.

I find this to be a good combination of security and performance.