30+ Security Features

Complete WordPress Security Suite

Every feature you need to protect your WordPress site from hackers, malware, brute force attacks, spam, and emerging threats. Explore all features in detail below.

View Pricing Explore Features
AI & Intelligence Firewall & Protection Login Security Malware Scanning Spam Protection WordPress Hardening Monitoring & Alerts Integrations Management Tools
Artificial Intelligence

AI & Threat Intelligence

Machine learning and crowdsourced data to detect zero-day threats before they strike

BETA

AI Scanner

Intelligent malware detection powered by advanced AI models. Analyzes suspicious code patterns and provides detailed explanations with fix suggestions.

  • Multiple AI Models: Advanced multiple AI models and Agents
  • Vulnerability Analysis: Explains why code is vulnerable with attack scenarios
  • Fix Suggestions: Provides ready-to-use secure code replacements
  • Context-Aware: Detects if file is from plugin, theme, or WordPress core
  • Update Recommendations: Suggests updating if newer versions are available
  • Batch Scanning: Analyze multiple files or entire directories
How it works: Suspicious code snippets are sent to secure AI servers for analysis. No personal data is transmitted - only the code patterns being analyzed.
AI Analysis Result 

Vulnerability Found: SQL Injection
File: wp-content/plugins/example/query.php
Line: 47

Vulnerable Code:
$wpdb->query("SELECT * FROM users WHERE id=".$_GET['id']);

Secure Fix:
$wpdb->prepare("SELECT * FROM users WHERE id=%d", intval($_GET['id']));

Recommendation: Plugin has update available.
Consider updating to v2.1.0 which may fix this issue.

Crowdsourced Threat Intelligence

Real-time threat data collected from thousands of WordPress sites. When one site blocks an attack, all sites learn from it instantly.

  • Real-Time IP Blocklist: Known malicious IPs blocked automatically
  • Confidence Scoring: IPs rated by threat level (configurable threshold)
  • Automatic Sync: Threat data updates every 6 hours automatically
  • Zero-Day Protection: Block new threats before they're publicly known
  • Attack Pattern Learning: AI generates new detection patterns from attacks
  • Privacy-Focused: Only anonymized threat data is shared, never personal info
50K+
Malicious IPs Blocked
6hr
Auto-Sync Interval
75%+
Default Confidence
Threat Intelligence Status
Last Sync 2 hours ago
Blocked IPs in Database 52,847
Malware Signatures 1,284
WAF Rules 847
Attacks Blocked Today 127
Your site contributed 3 threat reports this week, helping protect the network.

Live Traffic Monitor

Real-time visibility into every request hitting your website. See who's visiting, what they're accessing, and identify threats instantly.

  • Real-Time Dashboard: Watch traffic as it happens with auto-refresh
  • GeoIP Location: See visitor countries with flag icons
  • Threat Highlighting: Blocked requests shown in red with threat type
  • Response Times: Monitor page load performance
  • User Agent Analysis: Identify bots vs real users
  • Export Logs: Download traffic data as CSV for analysis
  • Zero Performance Impact: Async logging with batch database writes

Logging Modes:

  • Security Mode: Only logs blocked/suspicious requests (recommended)
  • All Traffic Mode: Logs every request for complete visibility
Live Traffic Monitor Recording
Time IP CC URL Status
14:23:45 192.168.1.1 🇺🇸 /wp-admin/ 200
14:23:44 45.33.32.156 🇷🇺 /wp-login.php BLOCKED
14:23:42 172.16.0.5 🇬🇧 /contact/ 200
14:23:40 185.220.101.1 🇨🇳 /xmlrpc.php BLOCKED
14:23:38 10.0.0.25 🇨🇦 /products/ 200

Security Score Dashboard

Visual security health assessment with a 0-100 score. Understand your site's security posture at a glance with actionable recommendations.

  • Overall Score: 0-100 score with letter grade (A+ to F)
  • Category Breakdown: Scores for each security area
  • Actionable Tips: Specific recommendations to improve score
  • Progress Tracking: See how your score changes over time
  • Priority Indicators: Know which issues to fix first

Categories Scored:

  • License & Updates (10%)
  • Login Security (20%)
  • Firewall & WAF (15%)
  • WordPress Hardening (15%)
  • File Protection (15%)
  • Monitoring & Alerts (15%)
  • Advanced Features (10%)
A
87/100
Login Security
Firewall
Hardening
File Protection
Tip: Enable 2FA for administrators to improve your score by 8 points
Core Security

Firewall & Protection

Enterprise-grade protection against web attacks, malicious bots, and unauthorized access

Web Application Firewall (WAF)

Real-time protection against the most common web attacks. Blocks threats at the application level before they can execute.

  • SQL Injection (SQLi): Blocks UNION SELECT, information_schema, and database extraction attempts
  • Cross-Site Scripting (XSS): Stops script injection, event handlers, and javascript: protocols
  • Local File Inclusion (LFI): Prevents ../ traversal and /etc/passwd access attempts
  • Remote File Inclusion (RFI): Blocks php://, data://, and remote file loading
  • Command Injection: Stops shell command execution attempts
  • WordPress-Specific: Protects wp-config.php, blocks eval() attacks
Attack Types Blocked
  • SQL Injection
  • XSS Attacks
  • File Inclusion
  • Command Injection
  • Path Traversal
  • PHP Wrappers
  • LDAP Injection
  • XML Injection
  • Header Injection
  • Null Byte Attacks
  • Protocol Attacks
  • Request Smuggling

Bad Bot & Scanner Blocking

Automatically blocks malicious bots, vulnerability scanners, and aggressive crawlers that waste your server resources and probe for weaknesses.

  • Vulnerability Scanners: Blocks Nmap, Nikto, SQLMap, WPScan
  • Aggressive Crawlers: Blocks MJ12bot, AhrefsBot, SemrushBot
  • AI Scrapers: Blocks GPTBot, ClaudeBot, CCBot if desired
  • Mass Scanners: Blocks Masscan, ZGrab, Censys
  • Empty User Agents: Optional blocking of requests with no UA
  • 20+ Bot Signatures: Comprehensive bot detection database
Blocked Bots (Last 24h)
AhrefsBot 847 blocked
SemrushBot 523 blocked
MJ12bot 312 blocked
SQLMap 45 blocked
Unknown Scanner 128 blocked

Directory Protection

Blocks PHP execution in vulnerable directories. Even if a hacker uploads a malicious file, it cannot execute.

  • wp-content/uploads/ - Blocks PHP in media uploads
  • wp-content/cache/ - Protects all cache directories
  • wp-includes/ - Blocks direct PHP access
  • wp-admin/css, js, images/ - Protects static asset folders
Why this matters: 73% of WordPress hacks involve uploading malicious PHP files to the uploads folder. Directory protection stops these attacks completely.
Protection Status
wp-content/uploads Protected
wp-content/cache Protected
wp-includes Protected
wp-admin/assets Protected

IP Manager (Whitelist/Blacklist)

Full control over who can access your site. Manually allow trusted IPs or permanently block known attackers.

  • IP Whitelist: Always allow specific IPs (your office, developers)
  • IP Blacklist: Permanently block known bad actors
  • CIDR Range Support: Block entire IP ranges (e.g., 192.168.1.0/24)
  • Auto-Block List: IPs automatically blocked after attacks
  • Temporary Blocking: Auto-blocked IPs expire after 24 hours
  • IPv4 & IPv6: Full support for both IP versions
IP Management
Examples: 192.168.1.100 or 10.0.0.0/8

Country Blocking (GeoIP)

Block or allow access based on visitor's country. Perfect for businesses that only serve specific regions.

  • Blacklist Mode: Block specific countries, allow everyone else
  • Whitelist Mode: Only allow specific countries, block all others
  • GeoIP Database: Accurate country detection via multiple APIs
  • 24-Hour Cache: Efficient lookups with IP caching
  • Easy Selection: Checkbox list of all countries
Common use case: If your business only serves the US, UK, and Canada, whitelist only those countries to eliminate 90%+ of attack traffic.
Country Blocking
Select countries to block based on your threat analysis
Account Protection

Login Security

Multiple layers of protection to keep hackers out of your WordPress admin

Brute Force Protection

Stops password guessing attacks by limiting login attempts and automatically blocking attackers.

  • Attempt Limiting: Configurable max attempts (default: 5)
  • Lockout Duration: Temporary lockout after failed attempts (default: 30 min)
  • Auto-Blocking: Permanent 24-hour block after repeated attacks
  • Progressive Lockout: Lockout time increases with each violation
  • Hidden Error Messages: Don't reveal if username exists
  • Complete Logging: Track all login attempts with IP and timestamp
5
Max Attempts
30m
Lockout Time
24h
Auto-Block
Access Denied
Too many failed login attempts. Your IP has been temporarily blocked.
Please try again in 29 minutes or contact the administrator.

Two-Factor Authentication (2FA)

Add a second layer of security requiring a time-based code from your phone. Even if passwords are stolen, accounts stay protected.

  • TOTP Protocol: Industry-standard time-based codes
  • App Compatible: Works with Google Authenticator, Authy, Microsoft Authenticator, 1Password
  • QR Code Setup: Easy one-scan configuration
  • Backup Codes: 10 one-time recovery codes per user
  • Per-User Control: Enable for specific users or roles
  • Time Drift Tolerance: Accepts codes within 30-second window
Scan with Authenticator App

Or enter manually:

JBSWY3DPEHPK3PXP

Custom Login URL

Hide the default wp-login.php and wp-admin paths. Bots and automated attacks can't find your login page.

  • Custom Slug: Choose your own login URL (e.g., /my-secret-login)
  • Block Default URLs: wp-login.php returns 404 error
  • Slug Validation: 4-32 characters, alphanumeric and dashes only
  • Reserved Slug Protection: Can't use common slugs like "admin" or "login"
Result: Reduces brute force attacks by 99% because bots can't find your login page.
Custom Login URL
https://yoursite.com/
/wp-login.php → 404 /wp-admin → 404

Google reCAPTCHA

Stop automated bots with Google's reCAPTCHA on login, registration, password reset, and comments.

  • reCAPTCHA v2: "I'm not a robot" checkbox
  • reCAPTCHA v3: Invisible score-based detection (no user interaction)
  • Configurable Score: Set minimum score threshold for v3 (default: 0.5)
  • Protect Login Form: Stop automated login attempts
  • Protect Registration: Prevent spam account creation
  • Protect Password Reset: Block reset spam
  • Protect Comments: Optional comment spam blocking
I'm not a robot reCAPTCHA

reCAPTCHA v2 Checkbox

Login Notifications

Get instant email alerts when someone logs into your site from a new device or location.

  • New Device Alerts: Notified when login from unfamiliar browser/device
  • New IP Alerts: Notified when login from new IP address
  • All Logins Option: Get notified on every login (optional)
  • Admin-Only Option: Only track administrator logins
  • Device Fingerprinting: Recognizes returning devices
  • Detailed Info: Email includes IP, location, browser, and time
New Login Detected

A new login was detected on your WordPress site:

User:admin
IP Address:192.168.1.100
Location:New York, US
Browser:Chrome on Windows
Time:Jan 20, 2026 2:30 PM
If this wasn't you, change your password immediately.
Threat Detection

Malware & File Scanning

Detect malicious files, vulnerabilities, and unauthorized changes to your WordPress installation

Malware File Scanner

Scans your entire WordPress installation for malicious files, webshells, backdoors, and suspicious code patterns.

  • PHP in Wrong Places: Detects PHP files in uploads, css, js folders
  • Webshell Detection: Finds FilesMan, WSO, r57, c99, b374k, Cyborg shells
  • Dangerous Functions: eval(), base64_decode(), shell_exec(), system()
  • Obfuscated Code: gzinflate(), str_rot13(), variable function calls
  • Severity Levels: Critical, High, Medium, Low classifications
  • Smart Whitelisting: Ignores legitimate plugin files in uploads
Scan Results
Files Scanned 12,847
Threats Found 2
Suspicious Files 5
CRITICAL: wp-content/uploads/2024/shell.php - Webshell detected

Vulnerability Scanner

Deep analysis of themes and plugins for security vulnerabilities in JavaScript, PHP, and SQL code.

  • JavaScript Vulnerabilities eval(), document.write(), innerHTML, Function(), setTimeout with strings, jQuery issues, postMessage without origin check, prototype pollution
  • PHP Vulnerabilities Command injection (shell_exec, exec), file inclusion (include, require with variables), XSS, insecure deserialization, arbitrary file operations
  • SQL Injection $wpdb->query() without prepare(), user input in queries, string concatenation, unsafe LIKE/ORDER BY, direct mysqli calls

All findings include CWE (Common Weakness Enumeration) references for industry-standard classification.

Vulnerabilities Found
CRITICAL SQL Injection
CWE-89
plugins/contact-form/submit.php:47
HIGH XSS Vulnerability
CWE-79
themes/starter/comments.php:23
MEDIUM Unsafe eval()
CWE-95
plugins/slider/assets/script.js:156

Real-Time Upload Scanner

Scans every file upload in real-time before it's saved to your server. Blocks malicious files instantly.

  • Dangerous Extensions: Blocks .php, .phtml, .phar, .php5, .htaccess
  • Double Extension Attack: Catches image.php.jpg tricks
  • Content Scanning: Checks file contents for PHP code
  • Webshell Signatures: 50+ known webshell patterns
  • Polyglot Detection: Finds PHP hidden in image files
  • MIME Type Verification: Validates actual file type
  • AI Integration: Optional deep analysis with AI Scanner
Upload Blocked

shell.php.jpg was blocked.
Reason: PHP code detected in image file (polyglot attack)

WordPress Core File Protection

Monitors WordPress core files for unauthorized modifications. Detects if hackers have tampered with your installation.

  • Checksum Verification: Compare against official WordPress.org hashes
  • Baseline Creation: Snapshot of clean installation
  • Daily Monitoring: Automatic daily integrity checks
  • Change Detection: Alerts when core files are modified
  • New File Detection: Finds unauthorized files in core directories
  • Email Alerts: Immediate notification of tampering
Core File Integrity
wp-includes/version.php Verified
wp-includes/functions.php Verified
wp-admin/admin.php Verified
wp-login.php Verified
All 847 core files verified against WordPress.org checksums
Anti-Spam

Spam Protection

Block spam bots from your forms and comments without annoying your real visitors

Universal Form Spam Protection

Protects all major form plugins from spam with honeypots, time validation, rate limiting, and content filtering.

  • Honeypot Fields: Invisible traps that only bots fill out
  • Time Validation: Blocks instant submissions (humans take time)
  • Rate Limiting: Limits submissions per IP (default: 5/minute)
  • Spam Keywords: 500+ spam phrase patterns blocked
  • URL Detection: Blocks excessive links (configurable)
  • Blocked TLDs: Filters suspicious free domains

Supported Form Plugins:

  • Contact Form 7
  • WPForms
  • Gravity Forms
  • Ninja Forms
  • Formidable Forms
  • Elementor Forms
  • Fluent Forms
  • WS Form
  • Happyforms
  • Caldera Forms
Spam Filtering Results
Honeypot Catches 847
Too Fast Submissions 312
Rate Limited 156
Spam Content Blocked 523
Legitimate Submissions 1,247
93% spam blocked, 0% false positives

Comment Spam Protection

Advanced protection for WordPress comments including pingback/trackback blocking and spam detection.

  • Block Pingbacks: Stops DDoS amplification attacks
  • Block Trackbacks: Prevents trackback spam
  • Author URL Check: Validates commenter website URLs
  • Flood Protection: Limits comments per IP per minute
  • WordPress Disallowed Keys: Uses built-in blocklist
  • Trusted Commenters: Skips checks for approved users
Comment Protection
Hardening

WordPress Hardening

Disable unnecessary features and hide information that hackers use to find vulnerabilities

Hide WordPress Version

Remove version numbers from:

  • Meta generator tag
  • Script/style URLs (?ver=)
  • RSS feeds
  • REST API
Prevents attackers from targeting version-specific vulnerabilities.
Disable XML-RPC

Completely disable xmlrpc.php which is used for:

  • Brute force amplification
  • DDoS relay attacks
  • Credential stuffing
  • Pingback abuse
Most sites don't need XML-RPC. Disable it unless you use mobile apps or Jetpack.
Block Pingbacks & Trackbacks

Disable legacy notification features:

  • Remove X-Pingback header
  • Disable pingback.ping
  • Disable trackbacks
  • Block DDoS amplification
Pingbacks are rarely used legitimately and are commonly exploited.
REST API Protection

Control WordPress REST API access:

  • Block /wp/v2/users (user enumeration)
  • Require authentication
  • Auto-whitelist e-commerce
  • WooCommerce compatible
Blocks username discovery while keeping Gutenberg working.
Security Headers

Add HTTP security headers:

  • X-Frame-Options (clickjacking)
  • X-Content-Type-Options
  • X-XSS-Protection
  • Content-Security-Policy (optional)
Industry-standard headers that browsers use to prevent attacks.
Disable File Editor

Remove Theme/Plugin Editor from admin:

  • Prevents code injection
  • Blocks backdoor installation
  • Adds DISALLOW_FILE_EDIT
  • Use SFTP instead
If a hacker gains admin access, they can't inject code via the editor.
Block User Enumeration

Prevent username discovery:

  • Block ?author=1 redirects
  • Block REST API user endpoints
  • Hide usernames from errors
  • Disable author archives (optional)
Hackers can't discover valid usernames to target with brute force.
Disable Application Passwords

Control app password feature (WP 5.6+):

  • Prevents bypass of 2FA
  • Stops persistent access
  • Reduces attack surface
  • Optional (disabled by default)
App passwords bypass 2FA. Disable if not using mobile apps.
Remove Unnecessary Headers

Clean up HTML head section:

  • RSD link (xmlrpc discovery)
  • WLW manifest (obsolete)
  • oEmbed discovery links
  • Shortlink header
Removes information that attackers use to probe your site.
Monitoring

Monitoring & Alerts

Stay informed about security events with comprehensive logging and instant notifications

Comprehensive Activity Logging

Track all security events in real-time with detailed logs for:

  • Firewall Blocks
  • Failed Logins
  • Successful Logins
  • Country Blocks
  • Form Spam Blocks
  • Upload Blocks
  • Settings Changes
  • Security Alerts
All logs include: Timestamp, IP Address, User Agent, Request Details, and Outcome
Email Alert System

Get instant email notifications for critical security events:

  • New device/IP logins
  • Core file modifications
  • Security settings changes
  • Malware detection alerts
  • Brute force attack warnings
  • License expiration reminders
Configure which alerts you want to receive. Rate-limited to prevent inbox flooding.
Settings Protection & Audit

Protect and audit plugin settings changes:

  • Change detection system
  • Email alerts on changes
  • Audit log with who/what/when
  • Change history tracking
Session Timeout Control

Automatically log out inactive users:

  • Configurable timeout (default: 60 min)
  • Skip timeout for admins (optional)
  • Force logout all users
  • Prevents unauthorized access
Integrations

Third-Party Integrations

Works seamlessly with popular services and plugins

Cloudflare Integration

Sync your security with Cloudflare for edge-level protection:

  • IP Sync: Automatically push blocked IPs to Cloudflare firewall
  • Security Level: Control Cloudflare security level from WordPress
  • Under Attack Mode: One-click enable during DDoS attacks
  • Challenge Mode: Show CAPTCHA to suspicious visitors
  • Real IP Detection: Automatic Cloudflare IP range handling

Caching Plugin Compatibility

Auto-detects and protects cache directories for 15+ caching plugins:

  • WP Rocket
  • LiteSpeed Cache
  • W3 Total Cache
  • WP Super Cache
  • WP Fastest Cache
  • Autoptimize
  • Cache Enabler
  • Comet Cache
  • Hummingbird
  • Breeze
  • Swift Performance
  • SG Optimizer
  • NitroPack
  • FlyingPress
  • Perfmatters

E-Commerce Compatibility

REST API endpoints auto-whitelisted for e-commerce plugins:

  • WooCommerce
  • Easy Digital Downloads
  • Dokan Marketplace
  • WC Vendors
  • WCFM Marketplace
  • MemberPress
  • LearnDash
  • LifterLMS
  • GiveWP
  • Charitable

Plugin Conflict Detection

Automatically detects 20+ plugins that may conflict:

  • Other security plugins (Wordfence, Sucuri, iThemes)
  • Duplicate 2FA plugins
  • Login security plugins
  • Login URL hiding plugins
Shows severity levels (Critical/Warning/Info) with resolution recommendations.
Management

Management Tools

Powerful tools for administrators and developers

WP-CLI Commands

Full command-line support for automation and scripting:

$ wp folder-shield status
$ wp folder-shield scan
$ wp folder-shield block 192.168.1.1
$ wp folder-shield unblock 192.168.1.1
$ wp folder-shield list-blocked
$ wp folder-shield whitelist add 10.0.0.1
$ wp folder-shield enable firewall
$ wp folder-shield disable 2fa
$ wp folder-shield clear-logs firewall
$ wp folder-shield license activate KEY
WordPress Multisite Support

Full support for WordPress Multisite networks:

  • Network Activation: Activate once for all sites
  • License Modes: Network-wide or per-site licensing
  • Network Dashboard: Central management for super admins
  • Settings Propagation: Push settings to all sites
  • Auto-Protect New Sites: Automatic protection for new subsites
  • Site Exclusions: Exempt specific sites from network settings

Setup Wizard

Guided first-time configuration in 5 easy steps:

  1. 1 Welcome & License Activation
  2. 2 Directory Protection Settings
  3. 3 Login Security Configuration
  4. 4 Firewall Settings
  5. 5 Complete & Review
Choose from Essential, Recommended, or Maximum security presets.

Early Security Loading

Maximum protection with pre-WordPress loading:

  • Sunrise.php: Loads before WordPress (multisite)
  • MU-Plugin: Loads before regular plugins
  • File-Based Blocking: No database needed
  • Emergency Mode: Lock down during attacks
  • Ultra-Fast: < 1ms overhead

Automatic Updates

Stay protected with automatic plugin updates:

  • Automatic security updates
  • Version checking from our servers
  • Changelog display before update
  • One-click manual update

Emergency Mode

Instant lockdown during active attacks:

  • Block all traffic except whitelisted IPs
  • Configurable duration
  • Custom maintenance message
  • File-based (works without database)

Compare Plans

All plans include all features. Only the number of sites differs.

Feature Personal
1 Site		 Professional
5 Sites		 Agency
100 Sites
Web Application Firewall
Brute Force Protection
Two-Factor Authentication
AI Scanner (Beta)
Live Traffic Monitor
Threat Intelligence
Form Spam Protection
Cloudflare Integration
All 30+ Security Features
Automatic Updates
Email Support
Annual Price $29/year $49/year $199/year
Lifetime Price $99 $299 $499

Ready to Secure Your WordPress Site?

Get all 30+ security features with AI-powered protection starting at just $29/year.

View Pricing Read Documentation