Plugin inspection:

iThemes Security (formerly Better WP Security)

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.


This recommendation applies to version 4.3.11 of this plugin, but the most recent version is 9.3.2. These findings may no longer be correct.


  • At over 13,000 lines of PHP this is a very large plugin, which makes it difficult to thoroughly assess
  • Variables from unknown sources are put directly into SQL without escaping (core/class-itsec-lockout.php line 149)
  • Encourages the user to make wp-config.php writeable by the PHP user (this is not in general safe): “Many of the functions of this plugin require editing your wp-config.php or .htaccess files. Would you like to allow us to safely update these files for you automatically?”

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

Potential SQL injection.

Failure criteria

  • Execution of unprepared SQL statements
  • Very large codebase

Read more about our failure criteria.