iThemes Working Fast To Fix Users Upgrade Woes

Better WP Security Featured Image

Last week, we reported the Better WordPress Security plugin would be renamed to iThemes Security. We also shared important details to prepare users for the upgrade. Because of the name change, users needed to re-enable the plugin or risk seeing errors. Despite the beta testing period, the upgrade process hasn’t gone smoothly for some users. Some have chosen to vent their frustrations by writing one star negative reviews.

I don’t like writing bad reviews. Three days ago I would give this plugin five stars without hesitation. Unfortunately, upgrading to 4.02 and then 4.05 broke the checkout functionality on my web store which resulted in lost sales and no clear solution in sight. Definitely a rushed update with insufficient testing.

Considering the plugin has over 1.8 million downloads, it’s inevitable some users would run into problems. As is the nature of software development, internal testing can only get you so far. According to Chris Wiegman, primary developer for iThemes Security, the plugin underwent the largest amount of beta testing by iThemes.

If you haven’t upgraded yet, I encourage you to read this guide which lists the most common issues related to the 4.0 update.

Beta Testing Only Gets You So Far

While some of the blame can be placed on iThemes Security for not picking up on specific bugs, it’s impossible to test in every conceivable environment or combination thereof. Take WordPress for example. Despite thousands of people participating in the WordPress beta period, a lot of bugs and problems are reported after the stable version is released. It makes sense because the amount of users and environments using the stable version are far greater than the number participating in the beta period.

iThemes Is Working As Fast As They Can To Fix Bugs

I got in touch with Cory Miller, CEO of iThemes, and asked him what the team is doing to address issues users are having with iThemes Security. Considering the number of users and types of changes made to the plugin, the team thinks overall, the upgrade has gone well.

Our motto has always been to ship good, tested work and iterate on it fast. As we get more data on bugs and issues, we’re seeking to figure them out and handle them accordingly. This is a commitment we’ve held since 2008 and will into the future.

Prior to launch, we had the biggest beta program for this release we’ve ever had and tested as thoroughly as we could (internally and with our beta group). We did our best, testing this before release, but any good software developer will tell you, especially with the variety of hosting and WordPress setups that you’re bound to miss something.

If you encounter a bug, please report it to iThemes. The team will be working hard this weekend to squash any bugs that have been reported thus far.

9 Comments


  1. Yeah I would have left out “PURCHASE SUPPORT BY BUYING ITHEMES SECURITY PRO”
    Not that they intentionally broke it to get people to buy pro support but if I didn’t know and trust iThemes that would leave a bad taste in my mouth. Someone not familiar with them may start going all tinfoil-hat on them.

    As someone who pays for a number of ithemes products (backupbuddy, stash etc) I’m fairly confident they’ll have this taken care of soon. They have some of the best support in the business

    Report


  2. Similar thing happened when the Quick Cache plugin guys brought out a pro version, but I was fortunate enough to see that there had been problems and didn’t upgrade until the problems had been sorted.

    Quick Cache problems were sorted pretty quickly but lots of low score and negative comments had been posted by then – damage done and the plugin rating fell like a stone.

    “…because the amount of users and environments using the stable version are far greater than the number participating in the beta period.”

    That makes sense and with a plugin as complicated as ” iThemes Security” testing must be pretty complex, but if your site is the one that’s broken… you don’t see things in such a clear light.

    I don’t use this plugin but thanks for the heads up Jeff and I’m sure that this one will get a good conversation going in the comments.

    Report


  3. The version 4 rollout is a bit of a disappointment. A few good features have been added. However, the hide backend feature breaks front-end ajax functionality which was fixed back in version 3.0.10. That affects WooCommerce, numerous Event calendars and likely hundreds of other plugins in the WordPress.org repository based on a simple search of “ajax”. The ability to manually clear log files has also been removed, requiring users to resort to other means to clear the itsec_log table. We’re indifferent on the changes to the interface, but can understand why some people don’t like it that all settings are on one tab.

    We think Chris Weigman’s work on this plugin is generally terrific and expect the issues we’ve identified along with those identified by others will get resolved quickly, but we’re sticking with version 3.6.5 for now.

    Report


  4. I think owner of better wp security wants to sell their product. As it previous versions better wp security was free of cost, we don’t have to purchase it for pro version. But after updating better wp security to iThemes, owner has also added pro version. Why for pro version?

    Report


  5. I’ve used Better WP Security for a long time. I’ve loved it. Had no issue with iThemes buying it except…

    The Hide backend issue cost me a lot of time to fix on all my sites. It’s not so easy to turn it off if you can’t login in the first place. Thank the heavens for FTP.

    The ability to manually remove log files I don’t understand at all and would like to see it restored.

    And don’t forget to check the box if you use InfiniteWP, that’s a new one.

    For now I’ve decided to downgrade.

    Report


  6. https://wordpress.org/support/view/plugin-reviews/better-wp-security/page/1
    Even uninstalling the plugin doesn’t fix the issue, you have to dig into .htaccess and wp-config.php files to remove the lines of code the plugin left.
    =====================
    The only way back in to my site is to disable the plugin via FTP. If I want to try to edit settings on the plugin, I have to delete it and re-install it, which only works temporarily. Then, after a few hours, the site locks down again.
    =====================
    To fix it you need to delete (or rename) your .htaccess file (then put in a blank one and make sure you update your permalinks once you’re back in your admin panel), then delete (or rename) the entire iThemes crap plugin. Only then will you be able to access your admin panel.
    =====================
    The only way to gain access to your dashboard is to disable (rename) the plugin via ftp.
    =====================
    This was an excellent plugin until the developers decided to change the name. Then many experienced issues with it. I experienced one of the worst issues that can happen to someone who’s not a programmer: I was totally locked out of my website and I had to fix it on my own. That’s because no matter how much I tried communicating with them they never gave me an answer. If they want profit by selling tech support they should turn the plugin premium, not riddle it wih issues so people are forced to buy their support.

    I recommend that you don’t install this plugin if you can avoid it.
    =====================
    Nuked my admin area. Little did I know it was this plugin that did it, till I ended up removing my installation, reinstalling, restoring from a DB backup, and then installing this plugin again. Even a visit to the dev’s website didn’t reveal anything that would’ve tipped me off. It took visiting the forums here before I put 2+2 together, renamed the plugin directory, and finally regained access.
    =====================
    Clients updating their sites as advised found themselves locked out of admin even without having changed the wp-admin login url in Hide Backend.

    I had to delete the plugin via ftp and also (thanks to a forum post) the folder wp-content/uploads/ithemes-security; run WP-Cleanup; re-install the pre-iThemes version of the plugin, activate, deactivate and uninstall it; then install and activate the latest iThemes version 4.0.5 on every site….

    This used to be a 5* plugin. I use iThemes BackupBuddy all the time (Developer) and recommend it. I was looking to invest in the developer edition of iThemes Security Pro but this has seriously put me off.

    I can’t believe this issue did not flag in testing given the number of people affected by the update issue.
    =====================
    Good Lord, people. Don’t you ever test your plugins before announcing an upgrade?

    Locked out of my own site because your plugin failed? Now only the hackers can get in. Nice.

    Not trusting you with my security again.
    =====================
    It’s not the first time I’ve been locked out of my admin area by ‘Better’ WP Security. But it is the last. I’ve finally got back in and the first thing I did was delete your plugin.
    =====================
    It’s unfortunate that I did not read the reviews of the update to the “NEW” iThemes Security v4.x from Better WP Security 3.x. I would have avoided the headache and time invested back leveling the plugin.

    It’s obvious iThemes wants the new 4.x plugin to ride on the success of the BWS 3.x plugin even though they say it’s a total rewrite, a bit misleading to not let the new plugin develop it’s own reputation. I rate this new plugin a 0 despite the lowest rating available of 1.
    =====================

    Report


  7. Yes, I’ve been locked out twice in the last three days and not only that, but the WHOLE site goes down. I looked to see if it was just me or the whole site on a different browser, and yes, seeing the same blank screen on both.

    I have email notifications enabled and with each crash got an email that a host at xyz IP address was locked out due to too many attempts to access a file that does not exist. The xyz IP address is mine! I wonder if there’s something regular running, like a cache emptying, that triggers this.

    Anyway, I would hardly dismissed this as something happening a few users. Nonsense. This is serious. And if you try to contact them, you get a snippy email directing you to the forum, which is only available for posting to people who buy the “premium”.

    Any recommendations for a GOOD security plugin?

    Report


  8. The bigger problem wasn’t really the actual plugin breaking websites, but the huge lack of support in the forum. Only in the last few days iThemes support account showed up to answer some threads, leaving others untouched.

    Yes, it is a free plugin and people use it at their own risk and support isn’t guaranteed – but there’s a certain ethical responsibility to users of your plugin that carries your company’s name and has a commercial support to help resolve issues you created with a new version. Even if you overlook the ethics, look at the PR storm this has caused.

    Report


  9. Up until May 18th, I would get about 3 alerts per day indicating that my hosting provider (IP xx.xx.xx.xx) was locked out of my website for too many attempts to access a file that does not exist.

    Furthermore, the plugin blocks Googlebot, MSNbot, Yahoobot… essentially it causes your organic rank to plummet.

    After reading, I can see this is a major bug in iThemes Security.

    Now, I’m getting locked out of my own site about 3-4 times per day, with an inability to access it using my login ID.

    The impression I get is that iThemes placed into circulation an pre-alpha release of this product, charged for the premium product, used the money generated to turn it into a beta product, and so on and so forth.

    You don’t release plugins that cause this much grief to people. It should have been tested for 6 months prior to release with real blog sites. When you invent a new drug, do you test it out on human babies before doing preclinical tox and testing on animals?

    So what do you get with the paid version, Xanax, or perhaps a steel shovel to render yourself unconscious until it’s all over?

    This plugin has potential, however the way it was introduced is inexcusable.

    Report

Comments are closed.