
外掛標籤
開發者團隊
② 後台搜尋「SiteFort Security – Malware Scanner, Firewall, Login Security & Hardening」→ 直接安裝(推薦)
📦 歷史版本下載
原文外掛簡介
Most WordPress hacks start with a door someone left open. An unpatched plugin, an exposed backup, a weak admin password. SiteFort works prevention-first. It closes these weak points before attackers find them, then backs that with a firewall and cloud malware scanning. An attack cannot exploit a door that is no longer open.
Malware analysis runs in the SiteFort cloud, not on your hosting, so full scans stay fast even on shared servers. The free plugin is real protection, not a trial; the protections most sites need are included without a paywall.
Try the Live Demo | Features | Free Remote Scan
Comprehensive WordPress Protection
Cloud Malware Scanner: Detects backdoors, web shells, injected code, and SEO spam, with the heavy analysis running in the cloud instead of on your server.
Verified Hardening: Locks down XML-RPC, user enumeration, sensitive files, and PHP execution, then checks each rule is actually enforced, not just switched on.
Firewall & Bot Filter: Country blocking, rate limits, a community IP blocklist, and bot filtering that never blocks real search engines.
Login Security & 2FA: Custom login URL, CAPTCHA, brute-force lockouts, breached-password blocking, and role-based 2FA enforcement. No separate login plugin needed.
Backdoor Admin & Account Audit: Finds admin accounts hidden from the WordPress users list, plus weak, breached, and suspicious accounts.
Vulnerability Checks: Scans core, plugins, and themes against CVE intelligence and shows affected versions, severity, and fix guidance.
Repair & Quarantine: Quarantine suspicious files (restorable if something breaks) or repair infected files from clean sources in one click.
Cloudflare Edge Sync: Push IP, country, and bot rules to Cloudflare so attacks are blocked before they ever reach WordPress.
WordPress Security Scanner
A single scan checks far more than files.
Malware Detection: Known files clear instantly by local hash; only unknown or suspicious files go to deep cloud analysis for backdoors, web shells, injected code, SEO spam, and malicious redirects.
File Integrity Checks: Catches tampered core, plugin, and theme files, and flags files that shouldn’t exist on the site at all.
User Account Security: Flags breached passwords, risky roles, suspicious user data, and administrator accounts that need review.
Ghost Administrator Detection: Catches backdoor admin accounts, including ones hidden from the WordPress users list or created outside normal site workflows.
Content & Database Safety: Checks WordPress data locally for injected content, suspicious options, unsafe URLs, spam injections, and malicious redirect indicators.
Domain & IP Reputation: Checks your domain and server IP against blocklists and abuse feeds, so you learn about a listing before your visitors or your email deliverability do.
Sensitive File Exposure: Finds exposed backups, logs, config files, debug files, and other files attackers commonly target.
Vulnerability Scanner: Checks WordPress core, plugins, and themes for known vulnerabilities, affected versions, severity, and CVE references where available.
Server State Checks: Reviews public paths, security headers, file exposure, and server settings that make a compromise easier.
Cloud-assisted file scanning reduces server load. Content and database checks run on the site. Database content never leaves.
WordPress Security Hardening
SiteFort closes the exposure points attackers check first, then verifies each protection is actually enforced on the server, not just enabled in the dashboard.
XML-RPC Controls: Disable XML-RPC, restrict authentication, or block pingback abuse.
User Enumeration Blocking: Reduces username leaks from author archives, REST endpoints, and common discovery paths.
Sensitive File Protection: Blocks public access to .env, backups, logs, debug files, .git metadata, lock files, sample configs, and server fragments.
PHP Execution Protection: Blocks PHP execution in uploads and direct PHP access inside plugin and theme folders where supported.
Directory Listing Protection: Reduces exposure from browsable upload, plugin, theme, or backup directories.
File Editor Protection: Disables the built-in theme and plugin file editor to limit damage from compromised admin accounts.
REST & Application Password Controls: Restricts risky REST access and application password behavior based on site needs.
Version & Metadata Cleanup: Hides WordPress version output and reduces exposed generator and header signals.
Security Headers: Analyze and manage CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and disclosure headers.
Verified Hardening: SiteFort checks whether supported hardening rules are actually enforced; items that require manual hosting or server configuration are flagged separately.
Login Security & 2FA
Account takeover is one of the fastest ways to lose control of a WordPress site. SiteFort adds layered login protection without requiring separate plugins.
Custom Login URL: Move your login page to a private address; anything hitting wp-login.php gets a redirect, a 403, or a 404, your choice.
Attack Prevention: Brute-force lockouts, CAPTCHA, generic login errors, and XML-RPC/REST authentication controls.
Two-Factor Authentication: Role-based 2FA enforcement with authenticator app codes, email codes, and recovery codes.
Password Policy: Weak and breached password detection, role-based strength enforcement, and expiration rules.
WordPress Firewall
SiteFort blocks unwanted traffic before it consumes server resources, with no custom rule syntax to learn.
IP & Country Rules: Block or allow traffic by IP address, CIDR range, country, bot, crawler, or user agent.
Country Blocking: Supports both block-selected and allow-only modes.
Sensitive File Protection: Stops bots probing for .env, .git, wp-config.php backups, SQL dumps, debug logs, installer files, and other risky paths.
Cloudflare Sync: Pushes supported IP, country, and user-agent rules to Cloudflare so high-volume blocks happen at the edge.
Temporary Edge Blocks: Blocks repeat attackers at Cloudflare when Cloudflare Sync is configured.
Rate Limiting & 404 Controls: Reduces abusive traffic spikes, repeated missing-page requests, and automated noise.
Community Threat Intelligence: Blocks traffic from malicious IPs seen across the SiteFort network.
Vulnerability-Hunting Bot Protection: Blocks bots probing for vulnerable plugins, themes, backup files, and configuration leaks.
Bot Filter Policy
Not all bots are bad. Pick one of three protection levels; unwanted automation gets blocked while legitimate search crawlers always pass through safely, so bot filtering never puts your SEO at risk.
Basic: Blocks known hacking tools and bots probing for vulnerable files.
Balanced: Blocks hacking tools, scraping bots, and automated scripts. Recommended for most sites.
Maximum: Blocks hacking tools, scrapers, automated scripts, and unrecognized bot traffic.
Block AI Training Crawlers: Optional block for AI scrapers that harvest content for model training (GPTBot, ClaudeBot, CCBot, Bytespider). AI assistants and search crawlers stay allowed.
Choose the level that fits the site, then adjust individual rules from the firewall dashboard.
Vulnerability Management
SiteFort checks installed WordPress core, plugin, and theme versions against vulnerability intelligence and shows affected assets, severity, CVE references where available, and the update that fixes each issue. While you apply updates, the firewall blocks the scanner bots that hunt for vulnerable components.
One-Click Repair & Restore
Pro: Guided repair workflows let you act on scan findings without manually editing files over FTP or SSH.
Repair or delete malicious files directly from scan results.
Restore clean WordPress core, plugin, and theme files when a trusted clean source is available.
Repair supported paid plugin and theme files when clean-source matching is available.
Quarantine suspicious files safely, with one-click restore if something on the site breaks.
For an active compromise, Securewp expert cleanup and managed security services are available when hands-on investigation, root-cause patching, blocklist help, or post-cleanup review is needed.
Audit Log & SiteFort Console
SiteFort keeps a security event history so you can quickly see what changed, what was blocked, and what needs attention.
Login Activity: Successful logins, failed attempts, lockouts, 2FA events, and account-related actions.
User & Site Changes: User updates, plugin and theme changes, settings changes, and sensitive admin actions.
Firewall Activity: Blocked IPs, country rules, bot blocks, rate-limit events, and suspicious request activity.
Scanner Results: Malware findings, vulnerability findings, reputation checks, hardening issues, and scan history.
Hardening Changes: Applied rules, failed rules, verified protections, and items needing manual review.
Site-level security features are available from the WordPress dashboard. SiteFort Console is optional for teams that need centralized visibility across multiple sites.
Multi-site status for connected websites.
Downloadable reports for clients or internal review.
Team roles and support workflows.
Hosting Compatibility
SiteFort is built for real WordPress environments including shared hosting, managed hosting, VPS, and Cloudflare-proxied sites.
Works with Apache, Nginx, and LiteSpeed.
Compatible with shared hosting, managed WordPress hosting, VPS, and dedicated servers.
Cloudflare-friendly: supports proxied sites and optional Cloudflare rule sync.
Cloud-assisted scanning reduces heavy scan work on lower-resource hosting plans.
Verified hardening confirms whether key rules are actually enforced, not just toggled on.
Free vs Pro
Free includes the firewall, bot filter, login security and 2FA, verified hardening, vulnerability checks, audit log, quarantine, and cloud malware scanning with 3,000 scan credits every month.
Pro adds:
* Unlimited cloud scanning with deep threat analysis
* Scheduled scans and automated vulnerability alerts
* One-click malware repair with clean-file restore for core, plugins, and themes
* Uptime and SSL expiry monitoring
* Slack, Discord, email, and webhook alerts
* Remote scan history, advanced reports, and white-label options for agencies
* Expert cleanup discounts
Managed adds hands-on monitoring, response workflows, and expert cleanup coverage by the Securewp team.
Looking for a market comparison? See the WordPress Security Plugin Comparison.
External services
SiteFort connects to external services only when needed for license activation, cloud-assisted malware analysis, vulnerability intelligence, firewall intelligence, optional Console sync, optional CAPTCHA, optional GeoIP, Cloudflare sync, and administrator-enabled notifications.
Optional integrations are not contacted unless they are configured or used.
SiteFort Cloud
Servers: securewp.net, intel.securewp.net, console.securewp.net
Used for: License activation, service metadata, cloud malware analysis, vulnerability intelligence, firewall intelligence, reputation checks, community blocklist sync, clean-file repair, and optional Console sync.
Data sent: Email address, license key/token, site URL, WordPress/plugin versions, installed plugin/theme names and versions, file hashes, scan results, vulnerability findings, reputation status, firewall metadata, blocked IPs, and security configuration metadata.
Malware scanning: File hashes are sent first. Only unknown or suspicious files may be uploaded for deeper analysis and are deleted after processing. Database and content checks run on your website. SiteFort does not upload your database or database-stored content to the cloud. If wp-config.php requires analysis, sensitive configuration values are removed before upload.
Temporary storage: SiteFort Cloud may return temporary upload/download URLs on *.amazonaws.com for scan uploads or clean-file repair downloads.
Privacy: https://securewp.net/privacy-policy/
Terms: https://securewp.net/terms-and-conditions/
Storage provider policies: AWS privacy https://aws.amazon.com/privacy/ and terms https://aws.amazon.com/service-terms/; Cloudflare privacy https://www.cloudflare.com/privacypolicy/ and terms https://www.cloudflare.com/website-terms/
Optional integrations
MaxMind GeoLite2 (download.maxmind.com) is used only when an administrator downloads or updates the local GeoIP database. It sends the configured MaxMind account ID and license key. Visitor IPs are resolved locally and are not sent to MaxMind during normal requests. Privacy: https://www.maxmind.com/en/privacy-policy Terms: https://www.maxmind.com/en/geolite2/eula
Have I Been Pwned Passwords (api.pwnedpasswords.com) is used for breached-password checks when enabled. SiteFort sends only the first 5 characters of the SHA-1 password hash. Full passwords and full hashes are never sent. Privacy: https://haveibeenpwned.com/Privacy Terms: https://haveibeenpwned.com/TermsOfUse
Google reCAPTCHA (www.google.com) and Cloudflare Turnstile (challenges.cloudflare.com) are used only when selected and configured for CAPTCHA protection. They receive the challenge token, site key, and visitor/browser data required by the selected provider. Policies: https://policies.google.com/privacy https://policies.google.com/terms https://www.cloudflare.com/turnstile-privacy-policy/ https://www.cloudflare.com/website-terms/
Cloudflare API (api.cloudflare.com) is used only when Cloudflare Sync is enabled. It sends Zone ID, API token/credentials, zone details, blocked IPs, country rules, selected user-agent rules, and firewall rule data. Privacy: https://www.cloudflare.com/privacypolicy/ Terms: https://www.cloudflare.com/website-terms/
Notification webhooks may send security alerts to Slack (hooks.slack.com), Discord (discord.com, discordapp.com), or a custom HTTPS webhook entered by the administrator. Webhook payloads may include site name, site URL, event type, severity, scan counts, vulnerability names, CVE identifiers, firewall counts, usernames, IP addresses, browser names, action URLs, timestamps, and event details. Slack policies: https://slack.com/trust/privacy/privacy-policy https://slack.com/terms-of-service/user Discord policies: https://discord.com/privacy https://discord.com/terms
Local site checks
Some requests are loopback checks against the protected site’s own public URL, such as security-header checks, public-file exposure checks, and homepage link collection. These contact the site being protected, not a third-party service.
