If you've been using iThemes Security, you may have noticed it's now called Solid Security. This Solid Security review (and iThemes Security review, depending on what you still call it) explains what changed.
This rebrand has confused. Is this the same plugin? Did it change? Should you keep using it, switch to something else, or remove it entirely?
I'll cut through the confusion and give you a clear assessment of what Solid Security is today and whether it deserves a place on your WordPress site.
The iThemes Security to Solid Security Rebrand
iThemes Security was one of the original WordPress security plugins, originally launched as "Better WP Security." It built a solid reputation over many years.
Then came acquisitions and rebranding.
Liquid Web acquired the product and eventually consolidated it under the SolidWP brand, which also includes SolidBackups (formerly BackupBuddy) and SolidMail. iThemes Security became Solid Security.
What actually changed?
The core plugin architecture remains largely the same. The rebrand was primarily organizational. If you were happy with iThemes Security before, the functionality hasn't fundamentally shifted.
The real question is whether Solid Security, regardless of its name, provides the protection you need.
What Solid Security Does
Solid Security (formerly iThemes Security) focuses on WordPress hardening. This is a different approach than Wordfence or Sucuri's free plugin.
WordPress Hardening
Hardening means locking down potential vulnerabilities before attackers can exploit them. Solid Security provides:
- Changing default WordPress security settings
- Hiding the login page URL
- Preventing file editing through the dashboard
- Removing unnecessary information from headers
- Enforcing strong passwords
- Limiting login attempts
These measures reduce your attack surface. They don't stop attacks directly, but they make your site a harder target.
Brute Force Protection
Solid Security monitors login attempts and blocks IPs that fail repeatedly. This prevents automated attacks from guessing credentials.
The protection is effective against basic brute-force attacks, though it shares the same reactive limitation as other plugin-based solutions: the attack must reach your server first.
Two-Factor Authentication
The plugin provides 2FA for WordPress logins. Users can authenticate with a second factor beyond their password, significantly reducing the risk of compromised credentials.
2FA is genuinely valuable security, and Solid Security's implementation works.
File Change Detection
Solid Security monitors your files and alerts you when something changes. This helps identify unauthorized modifications that might indicate a compromise.
The detection is useful, but it's detective (after the fact) rather than preventive. By the time you're alerted to changes, something has already happened.
Patchstack Integration
Solid Security has partnered with Patchstack to provide virtual patching. When vulnerabilities are discovered in plugins or themes, Patchstack can provide temporary protection even before the plugin developer releases a fix.
This is a meaningful feature. Zero-day vulnerabilities are a real threat, and having a layer of protection during the window between disclosure and patch is valuable.
What Solid Security Doesn't Do
Understanding the limitations of Solid Security (and what iThemes Security never offered) is as important as understanding features.
No Traditional Malware Scanner
Unlike Wordfence, Solid Security doesn't include a comprehensive malware scanner. File change detection isn't the same as malware scanning.
If your site is infected, Solid Security will help you identify which files have changed, but it won't identify the malware or clean it up.
No Web Application Firewall
Solid Security doesn't include a WAF like Wordfence does. The brute-force protection and hardening features provide some defensive capabilities, but they're not equivalent to a firewall that analyzes and blocks attack patterns.
Hardening Isn't Protection
This is the key distinction. Hardening reduces your attack surface. It makes you a harder target. But it doesn't actively block sophisticated attacks.
Think of hardening like locking your doors and windows. It's necessary and sensible, but it won't stop someone with more advanced tools. Hardening is one layer, not a complete security solution.
Solid Security Free vs Pro
| Feature | Solid Security Free | Solid Security Pro |
|---|---|---|
| Price | $0 | $99/year |
| WordPress Hardening | ✓ Yes | ✓ Yes |
| Brute Force Protection | ✓ Yes | ✓ Yes |
| Two-Factor Authentication | ✓ Yes | ✓ Yes |
| File Change Detection | ✓ Yes | ✓ Yes |
| Patchstack Virtual Patching | ✗ No | ✓ Yes |
| Password Expiration Policies | ✗ No | ✓ Yes |
| User Activity Logging | ✗ No | ✓ Yes |
| Magic Links (Passwordless) | ✗ No | ✓ Yes |
| Trusted Devices | ✗ No | ✓ Yes |
| Priority Support | ✗ No | ✓ Yes |
| Malware Scanner | ✗ No | ✗ No |
| Web Application Firewall | ✗ No | ✗ No |
The free version covers the basics adequately. The Pro version's value proposition centers on Patchstack integration, which provides real security value and user logging for compliance-conscious organizations.
Note: Neither tier includes malware scanning or a traditional WAF. If you need those features, you'll need additional tools.
Solid Security (iThemes Security) vs Wordfence
These plugins take different approaches. (For more on Wordfence, see our full Wordfence review.)
Wordfence is a comprehensive security plugin that includes a firewall, malware scanner, and threat intelligence. It tries to be your entire security solution.
Solid Security (formerly iThemes Security) focuses on hardening and doesn't attempt to provide firewall or scanning capabilities.
Choose Solid Security (iThemes Security) if:
- You want hardening without complexity
- You have other security layers in place
- You don't need a malware scanner
- You value Patchstack's virtual patching
Choose Wordfence if:
- You want comprehensive plugin-based security
- You need malware scanning
- You want detailed visibility into attacks
- You prefer a more full-featured solution
Neither is inherently better. They're solving different problems.
Should Existing iThemes Users Keep Using It?
If you've been running iThemes Security and it's been working for you, there's no urgent need to switch. The rebrand didn't break anything.
However, consider these questions:
Is hardening enough? Solid Security doesn't provide malware scanning or a true firewall. If those features matter to you, you'll need additional plugins or services.
What else is protecting your site? If Solid Security is your only security tool, that's a problem. Hardening alone isn't sufficient protection for sites handling anything important.
Is your hosting doing the heavy lifting? On managed WordPress hosting with a robust security infrastructure, hardening plugins becomes less necessary. The server-level protection handles what Solid Security tries to address.
When Solid Security (iThemes Security) Makes Sense
As Part of a Layered Approach
If you have edge-level protection (Cloudflare) and server-level security (Imunify360), adding Solid Security for hardening provides defense-in-depth. (Learn more about this approach in security plugins vs server-level protection.)
The hardening features complement other security layers without overlapping significantly.
When You Want Simple Hardening
Solid Security's interface is cleaner than Wordfence's overwhelming settings pages. If you want basic hardening without complexity, it delivers. (For another hardening-focused free option, see our All In One WP Security review.)
For the Patchstack Integration
Virtual patching for zero-day vulnerabilities is a legitimate feature. If you run plugins that have had security issues, Patchstack provides a safety net during vulnerable windows.
When Solid Security Isn't Enough
As Your Only Security
Hardening alone doesn't protect against sophisticated attacks, malware, or threats that exploit vulnerabilities beyond what hardening addresses. If Solid Security is your entire security strategy, you're underprepared.
If You Need Malware Detection
Solid Security won't find malware on your site. File change detection tells you something changed, but not what. For malware detection and cleanup, you need Wordfence, MalCare, or a security service.
On Well-Secured Hosting
If your hosting includes Cloudflare, Imunify360, and proper server hardening, Solid Security's features are largely redundant. The hosting is already doing what the plugin attempts to do.
At FatLab, we include this level of infrastructure security. Clients don't need hardening plugins because the server environment is already locked down. Learn more about our managed WordPress security services.
The Bottom Line on Solid Security (iThemes Security)
Solid Security (formerly iThemes Security) is a legitimate hardening plugin with a clear focus. It won't overwhelm you with features, and it does what it claims to do.
The rebrand didn't fundamentally change the product. If you were successfully using iThemes Security, you can continue with Solid Security.
But understand what you're getting: hardening, not comprehensive security. Solid Security reduces your attack surface and provides some protective features, but it doesn't include malware scanning or a true web application firewall.
For sites that need serious protection, Solid Security can be part of the answer. It shouldn't be the whole answer.
If you're choosing a security plugin and want more comprehensive protection, Wordfence provides broader coverage. If you want simplicity and plan to layer Solid Security with other tools, it's a reasonable choice.
Whether you still call it iThemes Security or use the new Solid Security name, the fundamental reality didn't change: plugin-based hardening is one layer in what should be a multi-layer security approach.
For more on why plugins alone aren't enough, read our guide on WordPress security plugins and their limitations.