iThemes Security Now Has Brute Force Login Protection

iThemes announced Brute Force Login Protection has been added to the latest version of iThemes Security. The new feature enables users to protect their sites either locally or by activating a network wide setting.

  • Local brute force protection looks only at attempts to access your site and bans users per the lockout rules specified locally.
  • Network brute force protection takes this a step further by banning users who have tried to break into other sites from breaking into yours.

Similar to BruteProtect acquired by Automattic earlier this year, network wide protection uses the power of each site using it to block known IP addresses from breaking into a site. This is possible thanks to the introduction of the iThemes Brute Force Protection Network.

Brute Force Login Protection Settings
Brute Force Login Protection Settings

By enabling this new setting in iThemes Security, the Brute Force Protection Network will automatically report the IP addresses of failed login attempts to iThemes and will block them for a length of time necessary to protect your site based on the number of other sites that have seen a similar attack.

Timing and Roadmaps

When I asked if there is a difference between the pro version of iThemes Security and the free version when it comes to Brute Force Login Protection, iThemes Security lead developer, Chris Wiegman, said, “There are no differences at all and no plans to change that. It’s originally a free feature and we want to keep it that way.”

When BruteProtect was acquired by Automattic, users expressed disappointment that they would have to use Jetpack. Was this move and the feedback surrounding it a motivating factor to add the feature to iThemes Security? “That was a bit of the timing but we’ve actually had it on the roadmap before I moved to iThemes. It is an effective way to protect against brute force login attempts that we just didn’t get up and running until now,” Wiegman said.

The Jetpack Of WordPress Security Plugins?


I’m not aware of any other plugin that comes close to what Jetpack offers. iThemes Security has so many protection mechanisms within the plugin, I think it  makes sense if each major feature was separated into a module.

iThemes Security could morph into a plugin like Jetpack with a focus on security. New modules could be developed to help make connecting to complimentary services easy. Development of the plugin might be made easier as well with contributors being able to focus on their favorite modules. The only thing preventing it from being like Jetpack in it current state are modules and a proper user interface to manage them. I wouldn’t be surprised if this is the direction iThemes takes with the plugin.

Respecting A User’s Privacy

One major difference between Jetpack and iThemes Security is that iThemes has chosen to leave the choice to users on whether network protection is enabled or not. Jetpack however, will auto-activate BruteProtect when it’s enabled. Wiegman explained two reasons why network protection is not enabled by default. “First, I don’t believe in auto activation. Second, as a security plugin we have an obligation to protect users privacy along with their site so anything that communicates remotely must be opt-in rather than opt-out.” While a noble choice on the part of iThemes, it may leave them with less data to work with than if it were enabled by default.

Choices Are Good

With nearly 3M downloads, the iThemes Brute Force Protection Network has an opportunity to become larger than BruteProtect’s before the company was acquired. Since the feature is free in both versions, it’s exposed to the maximum amount of potential users. It offers a choice to those who want this type of protection but don’t want to use Jetpack to get it. For those who want a single purpose plugin that only offers Brute Force Login Protection using the data from each site that uses it, you’re still out of luck.

2 responses to “iThemes Security Now Has Brute Force Login Protection”

  1. First, I don’t believe in auto activation. Second, as a security plugin we have an obligation to protect users privacy along with their site so anything that communicates remotely must be opt-in rather than opt-out.

    This is entirely true!

    I am glad that iThemes is going that route! It’s the only way the users privacy is fully respected. We need more companies that respect this and don’t use auto-activation and rather use opt-in techniques. The majority of users don’t want auto-activation of anything. And if you want to go internationally you should avoid it to avoid conflicts with legal restrictions in certain countries or areas. The mantra “decisions not options” doesn’t apply here because you should not patronize the user.

    I don’t know why the comparison with Jetpack is brought into this post here: both plugins are like apples and oranges. Jetpack don’t even has the pronounced brute-force module yet. And even if it had it one day, iThemes Security is a totally different plugin for 99% of other use cases.

    Some kind of module strategy may be a nice idea for iThemes Security, however, I doubt it makes full sense at the end of the day because many security tools depend on one another. So you should better collect modules or tools together that belong to each other or technically depend on each other to gain more security protection for the user.

    • Hi David,

      I don’t know about the Jetpack comparison either but iThemes Security already is modular in many ways (we just need our UI to reflect that). In our case all features are opt-in and if you haven’t selected “enable” for any given feature (as denoted by the individual meta boxes) than not only is that feature not active but its code won’t even load on your front-end ensuring that there is no performance issue or bloat left behind for the user. In addition, this allows to easily add or remove entire feature modules quite easily if needed.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: