Solid Security (formerly iThemes Security) Review | Your Guide to Web Application Firewalls

Overview

Solid Security, formerly known as iThemes Security, is a well-established WordPress security plugin now part of the SolidWP family under StellarWP and Liquid Web. With over a decade of development, it has evolved from a basic hardening plugin into a full security suite with firewall capabilities powered by Patchstack's virtual patching engine.

The firewall in Solid Security Pro integrates Patchstack's vulnerability database, automatically applying virtual patches to protect against known plugin and theme vulnerabilities before developers release official fixes. This is particularly valuable for the WordPress ecosystem where third-party plugins are a major attack vector.

Beyond the firewall, Solid Security provides comprehensive hardening features including two-factor authentication, password requirements enforcement, file change detection, database backups, and a unified security dashboard. The Pro version adds passwordless login via passkeys, trusted devices management, and advanced user security features.

As part of the SolidWP ecosystem alongside Solid Backups and Solid Central, it offers an integrated WordPress management experience for agencies and site owners managing multiple WordPress installations.

Ratings Breakdown

Ease of Use 4.3/5

Value for Money 4.2/5

Customer Support 4.0/5

Features 4.0/5

Key Features

Patchstack Firewall

Virtual patching rules powered by Patchstack that protect against known plugin and theme vulnerabilities automatically.

Two-Factor Authentication

Multiple 2FA methods including authenticator apps, email codes, and backup codes for all user roles.

Passwordless Login

Site Scanner

Checks for known malware, vulnerabilities in plugins and themes, and blocklist status.

File Change Detection

Monitors WordPress core files and alerts when unexpected changes are detected.

Security Dashboard

Unified dashboard showing security status, recent events, and actionable recommendations.

Trusted Devices

Recognizes trusted devices and restricts admin access from unknown devices (Pro feature).

Pros & Cons

Pros

Patchstack integration
Virtual patching powered by Patchstack''s vulnerability database provides automatic protection against known exploits.
Modern authentication
Passwordless login via passkeys and trusted devices management provide cutting-edge login security.
Established track record
Over 15 years of development as iThemes Security with millions of installations worldwide.
SolidWP ecosystem
Integrates with Solid Backups and Solid Central for comprehensive WordPress site management.
Affordable Pro tier
At $99/year for full features including Patchstack rules, it offers excellent value.

Cons

Firewall is newer
The Patchstack-powered firewall is a more recent addition; firewall capabilities are less mature than Wordfence.
Brand confusion
The rename from iThemes Security to Solid Security has created some confusion in the WordPress community.
Free tier is limited
The free version lacks the Patchstack firewall rules, providing only basic hardening without active WAF protection.
Ownership changes
Multiple ownership transitions (iThemes to Liquid Web/StellarWP) may concern some users about long-term direction.

Pricing

Pricing model: Freemium (Free tier + annual Pro license)

Free

Basic security hardening and brute force protection

Basic security hardening
Brute force protection
File change detection
Strong password enforcement
Two-factor authentication

Pro (1 site)

$99/year (~$8.25/month)

Full firewall with Patchstack virtual patching and advanced security

Everything in Free
Patchstack firewall rules
Virtual patching for vulnerabilities
Passwordless login (passkeys)
Trusted devices management
Site scanner (malware + vulnerabilities)
Magic links

Pro (multi-site)

From $199/year

Pro features for multiple WordPress sites

Everything in Pro
Multi-site license
Solid Central management
Volume pricing available

Our Verdict

Solid Security has reinvented itself with the integration of Patchstack's virtual patching engine, addressing one of WordPress's biggest security challenges: vulnerable plugins. The automatic virtual patching means your site is protected against known exploits even before plugin developers release fixes.

The modern authentication features—passwordless login via passkeys and trusted devices—put Solid Security ahead of competitors in login security. Combined with its established hardening features and the broader SolidWP ecosystem, it provides a comprehensive security solution.

Our verdict: A strong choice for WordPress users who value automatic vulnerability patching and modern authentication. The Patchstack integration makes it particularly good at protecting against the plugin vulnerability epidemic in the WordPress ecosystem.

CVE Coverage

Solid Security (formerly iThemes Security) can detect and block attacks matching 61K+ known CVEs based on its supported rule sets.

7.9K+

Critical

8.8K+

High

30K+

Medium

313

Low

Coverage by Attack Type

Cross-Site Scripting (XSS) High

36K+ CVEs

SQL Injection High

14K+ CVEs

Improper Input Validation Medium

8.4K+ CVEs

Open Redirect Medium

1.4K+ CVEs

XML External Entity (XXE) High

1.2K+ CVEs

Latest Blockable CVEs

CVE	Description	Severity
CVE-2026-4510	A weakness has been identified in PbootCMS up to 3.2.12. This impacts the function alert_location …	MEDIUM
CVE-2026-4161	The Review Map by RevuKangaroo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via …	MEDIUM
CVE-2026-4087	The Pre* Party Resource Hints plugin for WordPress is vulnerable to SQL Injection via the …	MEDIUM
CVE-2026-4086	The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the …	MEDIUM
CVE-2026-4084	The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the …	MEDIUM
CVE-2026-4077	The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via …	MEDIUM
CVE-2026-4072	The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the …	MEDIUM
CVE-2026-4069	The Alfie – Feed Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via …	MEDIUM
CVE-2026-4067	The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' …	MEDIUM
CVE-2026-4022	The Show Posts list – Easy designs, filters and more plugin for WordPress is vulnerable …	MEDIUM

Browse all CVEs →

Frequently Asked Questions

Is Solid Security the same as iThemes Security?

Yes, Solid Security is the rebranded version of iThemes Security. The plugin was renamed when iThemes became part of the SolidWP brand under StellarWP/Liquid Web. The core functionality remains the same with continued improvements and the addition of Patchstack firewall integration.

How does the Patchstack firewall work?

Patchstack maintains a database of WordPress plugin and theme vulnerabilities. When a vulnerability is discovered, Patchstack creates a virtual patch—a firewall rule that blocks exploit attempts for that specific vulnerability. Solid Security Pro automatically receives and applies these rules, protecting your site even before the plugin developer releases an official fix.

Can I use Solid Security alongside Wordfence?

Running two security plugins with firewall features simultaneously is not recommended as they can conflict. Choose one as your primary security plugin. If you prefer Wordfence's WAF but want Solid Security's 2FA or passkey features, you may be able to use a standalone 2FA plugin instead.

Ready to try Solid Security (formerly iThemes Security)?

Start with the free tier and upgrade as you grow.

Visit Website View Pricing