close

Protect WordPress Without Slowing It Down

SiteFort is the WordPress security plugin from Securewp. Cloud-side malware scanning so your site stays fast. Firewall, 2FA, vulnerability monitoring, and one-click hardening included free.
Download Free PluginView Pricing
★★★★★Trusted by 40+ agencies50,000+ sites monitored dailyNo credit card required
See it in action

Your security workspace, inside WordPress

Malware scanning, firewall, login security, vulnerability monitoring, hardening, and a complete audit trail. One purpose-built interface.

yourdomain.com/wp-admin/admin.php?page=sitefort
SiteFort Dashboard
SiteFort Malware Scanner
SiteFort Firewall Rules Settings
SiteFort Login Security
SiteFort Hardening
SiteFort Vulnerability Checker
SiteFort Audit Log

Why we built SiteFort

Built from breach reports. Tuned for WordPress.

Most WordPress security plugins were built to run on a server, charge for the basics, and disappear when a site is actually hacked. SiteFort is different. Heavy scanning happens in the Securewp cloud, so your site stays fast. Premium features ship free. And when something gets through, a senior Securewp analyst takes over within 15 minutes.

01 · Detect

Catch threats before they become incidents

Cloud-powered malware scanning and continuous vulnerability monitoring across your entire WordPress stack.

Cloud malware scanner

Built to run reliably on your WordPress host

WordPress runs on every kind of host, from a $5 shared plan to managed infrastructure. Our cloud handles the heavy analysis so scans finish on any of them, with no PHP timeouts, memory errors, or process kills. Your server stays fast for visitors.

Files, database, and core integrity
Detects backdoors, webshells, spam injections, and malicious redirects. Verifies WordPress core against official checksums.
One-click repair for infected files
Pro users clean malware directly from the scan results. Expert cleanup service available if needed.
Signature-hash first, content only when needed
Most files never leave your server. Under 1% of files get uploaded for deep analysis after the first scan.
How cloud scanning worksvs server-based scanning
1
Plugin collects file signatures on your serverNear-zero CPU. No file content leaves your server yet.
2
Known files verified against clean databaseWordPress core, popular plugins, and themes clear in milliseconds.
3
Unknown files uploaded for deep inspectionTypically under 1% of files after the first scan.
4
Results with one-click repairInfected files identified by type and severity. Fix from the dashboard.
Vulnerability monitoring

Find vulnerabilities before hackers do

Most WordPress hacks exploit known security gaps with available fixes. SiteFort monitors your entire stack and flags the moment a weakness is discovered.

Prioritized by severity with CVE references
Every finding includes a CVSS score so you know what to fix first.
Covers core, plugins, and inactive themes
Even inactive themes are monitored. Attackers exploit what you forget.
One-click updates from the report
Patch vulnerable plugins and themes directly, no context switching.
SiteFort → Vulnerabilities
Page Builder Plugin
Plugin · Installed: 3.11.5 · 2 issues
Update Plugin
VulnerabilityAffectedCVESeverity
Broken Access Control<=3.35.5CVE-2026-32445Low (2.7)
Stored Cross-Site Scripting via REST API<=3.35.5CVE-2025-14732Medium (6.4)
Contact Form Plugin
Plugin · Installed: 1.6.13 · 2 issues
Update Plugin
VulnerabilityAffectedCVESeverity
Cross Site Scripting (XSS)<2.5.0CVE-2025-9703Medium (5.9)
Missing Authorization on Settings Update<=2.4.6CVE-2025-8488Medium (5.4)
02 · Block

Stop threats at every layer

A layered firewall that filters traffic before it reaches WordPress, with rich bot and rule controls and an optional Cloudflare edge sync.

Firewall · Bot & crawler policy

Stop bad bots without hurting your SEO

Pick a tier and ship. Googlebot, Bingbot, and major AI crawlers are always recognised and let through. Scanners, scrapers, and unknown scripts are dropped.

3-tier
One-click policy
SEO-safe
Crawlers always pass
Auto-ban
On scanner probes
SiteFort → Firewall → Bot & Crawler Policy
Search engine crawlers and major AI crawlers are recognised automatically and pass through at every level.
Basic

Block known hacking and vulnerability scanning tools only.

Hacking tools
Scrapers
Auto scripts
Unknown bots
Balanced
Recommended
Hacking tools
Scrapers
Auto scripts
Unknown bots
Maximum

Blocks all unrecognised bot traffic.

Hacking tools
Scrapers
Auto scripts
Unknown bots
Detect & block scanners

Detects and bans IPs probing for config files, backups, and version metadata.

Ban IP after3failed attempts within11minutes
SiteFort → Firewall → Traffic Rules
IP Address
Country
Bot / Crawler
Duration:Reason:
Allow my current IP

Active rules

185.220.00.47BlockPermanent
45.00.212.0/24BlockPermanent
203.0.113.5AllowMy IP
Rule builder · Traffic control

Block the exact traffic you want gone

A visual rule builder with three tabs - IP address, country, and bot. Every rule can be permanent or timed, with a note for audit trail.

Single IPs, and subnets
Block a single IP or an entire /24. Your current IP is auto-allowlisted so you never lock yourself out.
Country-level geoblocking
One-click region blocking. With Cloudflare sync enabled, the rule is pushed to the edge automatically.
Named bot and user-agent rules
Stop SemrushBot, AhrefsBot, or any custom user-agent while keeping your own SEO tools allowed.
Community threat blocklist

A shared IP blocklist updated continuously across all SiteFort sites. Free on every plan.

Cloudflare WAF sync

Optional one-toggle sync pushes your IP and country blocks to Cloudflare's edge network.

Rate Limiting

Per-IP request caps on both normal traffic and 404 probes. Keeps scanners out without slowing trusted crawlers.

03 · Harden

Close the gaps WordPress leaves open

Login protection, server hardening, and a full audit trail. One toggle each, no config files.

Site hardening & audit log

Harden the defaults, log everything

Toggle hardening rules from your dashboard. Keep a tamper-proof audit trail of every login, file change, and firewall event.

Block PHP in uploads, protect sensitive files
Stops PHP execution in /uploads and blocks public access to .env, debug.log, and .git metadata.
Information leak prevention
Hide version numbers, clean HTML head, block username enumeration via /?author.
Long activity log retention
Who did what, when. Every login, file change, setting update, and blocked request. No forced expiry.
SiteFort → Hardening
Server Hardening
Block Sensitive File AccessBlocks public access to .env files, debug logs, .git metadata, database backups, and server config fragments. Credential exposure is one of the most common causes of full site compromise.
Block PHP Execution in UploadsPrevents attackers from executing PHP files in /uploads. WordPress never runs PHP from uploads, only malware does.
Block Direct PHP Access in PluginsEnsures plugin PHP files only run when loaded by WordPress core, not when accessed directly via URL.
Block Direct PHP Access in ThemesEnsures theme PHP files only run when loaded by WordPress core, not when accessed directly via URL.
Disable Directory ListingPrevents visitors from browsing folder contents when no index file is present, hiding backup files and config resources.
WordPress Obscurity
Block User EnumerationBlocks username discovery via author scanning, REST API user endpoints, oEmbed data, and user sitemaps.
Disable Theme & Plugin EditorRemoves the built-in code editor from the dashboard, preventing PHP injection through the admin panel.
Disable Application PasswordsRemoves Application Passwords, which bypass two-factor authentication. Disable unless required by external apps.
Hide WordPress VersionRemoves version numbers from meta tags, RSS feeds, and script query strings to prevent fingerprinting.
Clean WordPress HeadRemoves unnecessary meta tags, manifest links, and feed discovery links from the HTML head.
Login security

Lock down your WordPress login

2FA, CAPTCHA, and breached password detection built in. Stop credential attacks before they start.

Two-factor authentication
TOTP via any authenticator app, or email fallback. Per-role enforcement rules.
Breached password detection
Checks new passwords against HaveIBeenPwned. Enforces rotation when exposure is detected.
CAPTCHA and login throttling
Modern invisible CAPTCHA with automatic IP lockout on failed attempts. Works on /wp-login.php, XML-RPC, and REST.
SiteFort → Login Security
Two-Factor AuthenticationRequired: Administrator, Editor
4 8 3 · 2 1 6
Expires in 18s · Google Authenticator
Limit Login Attempts5 fails per IP · lock out 30 min
847 attempts blocked today14 IPs locked
72% of attack traffic stopped at login layer
Bot Detection (CAPTCHA)
Google reCAPTCHA or Cloudflare Turnstile
Active
Secret Login URL
yoursite.com/my-login
403404Redirect
Scale

Centralize security across every WordPress site you manage

Connect SiteFort to the Securewp console for scan history, vulnerability status, uptime, SSL, alerts, team access, and client-ready security reports across every site.

Unified security console
See site status, malware scan results, vulnerability findings, uptime, SSL health, firewall activity, and security events across your connected WordPress sites.
Bulk scans, alerts, and workflows
Trigger scans across one site or many, route security alerts to Slack or Discord, and keep the right people informed without logging into every wp-admin.
Roles and reporting for growing teams
Assign team access, review security history, and export client-ready reports for retainers, agencies, maintenance plans, and internal reviews.
console.securewp.net
Sites

Sites

4

Risk Queue

1

Uptime

99.9%

All 4Secure 3Attention 1Scanning 0

clientstore.com

WP 6.9 · PHP 8.3 · Pro

Secure

agency-blog.net

WP 6.8 · PHP 8.2 · Pro

1 Vuln

shop.mybrand.co

WP 6.9 · PHP 8.3 · Managed

Secure

developer-portfolio.io

WP 6.9 · PHP 8.3 · Free

Secure

Premium features. Included free.

Wordfence, Sucuri, SolidWP, and MalCare charge for the features below. SiteFort includes every one of them in the free plan, with no caps, retention limits, or forced upgrade paths.

Two-factor authentication

TOTP via any authenticator app, per-role enforcement, and secure backup codes.

Unlimited audit log retention

Full history of every login, file change, and blocked request. No forced expiry.

Login CAPTCHA Protection

Block automated login attempts with Google reCAPTCHA or Cloudflare Turnstile.

IP & domain reputation

Scan your IPs and linked domains against global blacklists.

Cloudflare WAF integration

Sync IP, country, and bot rules to Cloudflare’s edge from your SiteFort dashboard.

Country and region blocking

Block entire countries or regions at the firewall layer, before WordPress, plugins, or themes load.

Loved by teams

The team behind 25,000+ secured WordPress sites

★★★★★

"I switched from Wordfence because scans were slowing my WooCommerce store during peak hours. With SiteFort, scanning happens in the cloud. My site never skips a beat and I get the same level of protection."

SP
Sean P.
Agency partner, 40+ client sites
★★★★★

"I manage 40+ client sites. The Securewp console gives me scan status, uptime, and vulnerability alerts across every site in one place. SiteFort is the first security tool I've added to every client retainer without hesitation."

ER
Eric R.
Lead engineer, WooCommerce store
★★★★★

"Got hacked on a Friday night. Had a Securewp expert assigned within 20 minutes. The site was clean by morning, and they walked me through exactly what happened. The 12-month warranty means I can sleep easy."

MK
Michael K.
DevOps manager, SaaS company
Simple pricing

Security for every stage

Start free. Upgrade when you grow. Cancel anytime.

Best for personal sites
Free

Essential protection, no credit card needed.

$0/forever
  • 3,000 scan credits / mo
  • Firewall & country blocking
  • Login protection & 2FA
  • Security hardening
  • Activity logging
Get started free
MOST POPULAR
Best for growing businesses
Pro

Advanced security with unlimited scans.

$99/year
  • Unlimited scans
  • One-click file restore
  • Scheduled & automated scans
  • Uptime monitoring
  • Slack, Discord & email alerts
  • 50% off expert cleanup
Buy Pro license
Best for agencies & serious sites
Managed

Hands-off security. We run it for you.

$299/year
  • Everything in Pro
  • Dedicated security agent
  • Free expert malware cleanup
  • Core, plugin & theme updates
  • 24/7 priority monitoring
Get Managed
Compare all features →
Have questions?

Frequently asked

SiteFort is the WordPress plugin. Securewp is the platform it connects to: console, scanning cloud, and incident response. One account covers both.

SiteFort generates file signatures (hashes) locally on your server. These hashes are checked against the Securewp cloud database of known-clean files. Only files that are unknown or suspicious are securely uploaded for deep analysis. Most files never leave your server at all. After the first scan, verified files are cached with cryptographic signatures, so repeat scans are even faster.

No. Unlike traditional security plugins that run malware analysis on your server, SiteFort offloads the heavy work to the Securewp cloud. The plugin also includes automatic throttling that reduces activity if your server is under load. Visitors notice nothing during scans.

3,000 cloud scan credits per month, the full firewall with country blocking, community threat blocklist, login protection with 2FA, brute-force lockout, CAPTCHA, all hardening features, breached password detection, activity logging, and the security console. Features like country blocking and community blocklists are paid-only in competing plugins.

Yes. SiteFort syncs firewall rules directly to your Cloudflare WAF from the plugin dashboard. IP blocks and rate-limiting rules applied in SiteFort are pushed to Cloudflare automatically, so malicious traffic is stopped at the edge. Works alongside the plugin's built-in PHP-level firewall for layered protection.

Yes. The Securewp console gives you a centralized dashboard for every SiteFort-connected site. Trigger scans remotely, view security status, manage firewall rules, and receive Slack or Discord alerts. Team roles (owner, admin, operator, viewer) control access. Pro users managing 5+ sites get volume pricing at $79 per site per year.

You get a clear report showing which files are infected, what type of malware was found, and severity. Pro users repair with one click directly from the scan results. For complex infections, expert cleanup is $149 (50% off with Pro, free with Managed). Every cleanup includes a 1-year reinfection warranty.

Yes. Pro and Managed plans come with a 30-day satisfaction guarantee. If SiteFort is not the right fit, contact support within 30 days of purchase for a full refund. No questions asked.

Yes. Teams managing 25+ sites, organizations with custom compliance requirements, and buyers needing wire transfer, master services agreements, or data processing agreements can contact our enterprise team. We respond within one business day with a tailored proposal. Volume pricing from $79 per site per year.

Secure your WordPress site in under 5 minutes

Install SiteFort free. Connect to the Securewp console. Run your first scan. No credit card, no commitment.

Download SiteFort FreeSee pricing
30-day money-back guarantee on Pro and Managed plans.