Сүрөттөө
Your website deserves protection that’s simple, fast and built for WordPress. SiteLock WordPress Security focuses on the everyday controls that matter most and helps you establish a secure baseline in minutes — WordPress-specific hardening, login protection and a clear Site Health dashboard that keeps you in control without slowing your site down.
It’s lightweight, action-first protection that complements your host defenses: essential safeguards run inside WordPress while deeper checks happen securely in the SiteLock cloud. Skip heavy on-server scans and alert fatigue — run on-demand checks when you need extra assurance, so you can ship updates with confidence.
Security that grows with you
Our goal is straightforward: maintain a strong baseline with minimal overhead while giving you clear visibility and room to grow as your needs evolve.
And because security is never static, this plugin keeps pace. Next up: Two-Factor Authentication (2FA) to strengthen login security (coming soon).
Commercial plugin
This plugin is free but offers additional paid commercial upgrades or support.
What’s included
WordPress Hardening: Cut common attack paths in just a few clicks.
- Disable directory listing.
- Restrict PHP execution in upload folders.
- Limit unsafe script types.
- Force strong configuration defaults to close risky gaps.
All options are toggle-based and reversible — safe to enable, easy to test and lightweight on performance
Login Security: Protect what matters most — your access
- Brute-force defense: Blocks repeated failed logins and temporarily locks abusive IPs.
- Password policy prompts: Encourage stronger credentials without breaking workflows.
- Session timeouts: Automatically end idle sessions to prevent account hijacks.
- Activity awareness: View recent logins and admin changes in the Activity Log.
Heads-up: Two-Factor Authentication (2FA) — a second layer of verification for even greater login protection. It’s already in development and will arrive as part of the next plugin milestone.
Site Health & Cloud Checks: Clarity without noise.
- Site Health Dashboard: Surface key signals in one view — WordPress hardening status, last scan timestamp and actionable indicators
- Cloud Checks: Connect your free SiteLock account to enable recurring off-server checks (Webpage Scan, SSL Verification, Email Reputation and more)
- Scan Now: Run on-demand checks after updates or changes for instant assurance -no heavy, always-on local scanners
- Activity Log: Track what’s happening across your WordPress admin. See admin/login events at a glance making it easy to spot anomalies early and keep accountability clear.
Why Choose SiteLock WordPress Security?
- Lightweight by design: All high-impact protections, no unnecessary load
- Real visibility: Know your security posture in seconds with Site Health
- Cloud-powered assurance: Checks run off-server, protecting performance
- Flexible setup: Use standalone or connect a SiteLock account for added layers
- Future-ready: Two-Factor Authentication and enhanced security features are already on the horizon
- Trusted heritage: From the global leader in SMB website security backed by continuous innovation and research
- Aligned to WordPress: Designed to stay out of your way and keep performance priorities intact
Who It’s For
- Small businesses & startups
- Portfolio & personal brand sites
- WooCommerce shops & small e-commerce
- Agencies & website maintenance services
- Freelance developers & web designers
- Bloggers, creators & publishers
- Community & membership sites
- Nonprofits & educational sites
If you manage a WordPress website, SiteLock gives you confidence and control whether you run one site or hundreds.
Can I Fix an Already-Infected Site with This Plugin?
The plugin focuses on prevention, posture and visibility — not full malware removal. It isn’t designed to fully clean up sites that were infected before it was active.
If your site is already compromised, act quickly, we recommend:
- Restoring from a clean backup if available
- Remove malicious files manually or with professional help
- For urgent assistance, consider SiteLock 911 – Emergency Malware Removal for rapid cleanup
- For ongoing defense, consider choosing a comprehensive SiteLock plan
Don’t Know Where To Start? Try This
Here are common first moves teams take with SiteLock. Order isn’t enforced — choose what fits your site and workflow:
- Enable WordPress hardening that matches your hosting and theme setup
- Turn on Login Security controls: brute-force lockouts, session timeouts, and password-hygiene prompts
- Connect a free SiteLock account, then use Scan Now to run an on-demand check after plugin/theme updates
- Review the Activity Log after major changes to spot unexpected admin/login events quickly
Make one change at a time, validate and roll back any toggle that conflicts with your stack.
Need Help with Setup or Fixes?
- Visit Help Center – WordPress for plugin specific help
- For broader topics explore the SiteLock Help Center
Скриншоттор
Dashboard — overview with Site Health 
Login Security — brute-force defense, password hygiene and session timeouts 
WordPress Hardening — one-click toggles for secure defaults 
Activity Log — recent admin/login events at a glance 
Cloud Checks — on-demand and recurring scans from the SiteLock cloud
Орнотуу
Getting Started
- In Plugins Add New, search “SiteLock Security”, then Install and Activate
- Open SiteLock from the left menu
- Choose your setup path:
a. Use free baseline protections (no account required) or
b. Connect your SiteLock account (or create one) to enable cloud checks and add broader protections (optional) - Toggle the WordPress hardening and login protections that fit your site
- After you’ve connected a SiteLock account (free tier supported), Scan Now runs an on-demand check and recurring scans run by default to keep your site monitored at all times
FAQ.KG
-
Will this slow my site?
-
No, the plugin is designed to be lightweight. SiteLock security scans run in the SiteLock cloud, so both recurring scans and on-demand checks are processed off-site, keeping the resource impact on your WordPress site minimal.
Locally, the plugin applies optional website hardening and login hygiene. These actions are event-driven with negligible impact on typical page loads.
Bottom line: cloud-powered scanning plus low-overhead local controls deliver ongoing monitoring with minimal footprint in WordPress. -
Does this plugin run constant background scans?
-
No. The plugin focuses on low-impact protections and on-demand checks you control.
-
Where do I see results inside WordPress?
-
The Site Health view shows status at-a-glance. The Cloud Services panel shows your latest cloud scan status and findings. For full history, use your SiteLock dashboard.
-
Can I use the plugin without a SiteLock account?
-
Yes, you can use the free plugin features without an account. Core hardening and login security work out of the box. Connect a free SiteLock account to unlock Site Health, Scan Now and recurring Cloud Checks. Paid SiteLock plans add deeper malware and vulnerability scans.
-
What happens if I disconnect my SiteLock account?
-
Local protections continue to work. Cloud scans, if configured, will continue to operate but data will not be pulled into the plugin unless they’re connected with a license key.
-
What’s included in the free SiteLock tier vs paid?
-
The free plugin includes WordPress Hardening and Login Security. Connect a free SiteLock account to unlock the Site Health view, enable recurring Email Reputation Scan, SSL Monitoring, Webpage and Vulnerability scans + Scan Now on-demand checks. Paid plans add SMART File and SMART Database scans.
-
Can I safely disable features?
-
Yes. Every hardening toggle is reversible — disable and retest anytime.
-
Does this replace my firewall or CDN?
-
No. This plugin sets your on-site baseline. For active blocking and performance protection, connect a full SiteLock plan to enable the SiteLock Firewall (WAF) and CDN.
-
What about Two-Factor Authentication (2FA)?
-
Enhanced protection is on the horizon — stay tuned for the update! 2FA is actively in development. It’s designed to layer on top of our current login protections bringing stronger, verification-based defense without adding friction for site owners.
-
What changes does this plugin make that could affect my site?
-
Nothing changes until you enable a setting. Login features don’t alter your theme or content. Some hardening options intentionally tighten execution rules and may impact edge cases, for example:
– Deny Access to Unsafe Script Extensions: blocks execution of unexpected script types (phtml, phar, cgi, pl, py, asp, aspx, jsp). If your site needs one of these, don’t enable this toggle.
– Harden Writable Directories: blocks PHP execution in /wp-content/uploads. Plugins/themes that execute PHP there may stop working.
Best practice: enable settings gradually, test and revert any toggle that conflicts with your stack. -
What is the Site Health view?
-
It’s a simple, low-impact status view of key checks.
-
What is “Scan Now”?
-
An on-demand check for key items — useful after you update plugins/themes or change configuration. It does not perform heavy on-server scans.
Сын-пикирлер
Contributors & Developers
“SiteLock Security – WP Hardening, Login Security & Malware Scans” is open source software. The following people have contributed to this plugin.
Мүчөлөрү
“SiteLock Security – WP Hardening, Login Security & Malware Scans” has been translated into 4 locales. Thank you to the translators for their contributions.
Translate “SiteLock Security – WP Hardening, Login Security & Malware Scans” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Өзгөртүүлөр
5.0.1
Release Date November 10, 2025
- Security updates.
5.0.0
Release Date November 4, 2025
Enhancements
- License key–based connection flow (SSO-compatible) replacing legacy auth.
- Full UI redesign aligned with SiteLock dashboard + WordPress admin standards.
- WordPress Hardening features:
- Disable directory listing.
- Block execution of unsafe script extensions.
- Basic XSS / SQL Injection request filtering.
- Block PHP execution inside writable asset directories (e.g. ‘wp-content/uploads’).
- Login Security features:
- Login lockout (rate limiting after repeated failures).
- Forced logout time controls by role.
- Password strength enforcement (new users & password changes).
- Login Activity Log (role-aware).
- Admin Audit Log (tracks privilege & role changes).
- In-dashboard Security Report providing an overview of your latest SiteLock security scans.
- Site Health score indicator in wp-admin.
- Improved signup flow for new users.
Deprecated
- SiteLock Trust Seal HTML embed.
- Post scanning functionality (legacy).
- Admin Dashboard Widget, Admin Bar dropdown.
- Post editor metaboxes.
- WAF & CDN settings panel (SiteLock Dashboard preferred).
Migration / Upgrade Notes
- After updating, go to: SiteLock > Settings > SiteLock Plan & License and enter your new license key (required going forward).
4.2.4
Release Date July 31, 2024
- This release improves compatibility with WordPress 6.6.
- Now requires a minimum PHP version of 7.2.
4.2.3
Release Date October 12, 2023
- This release improves compatibility with WordPress 6.3.
- Now requires a minimum PHP version of 7.0.
4.2.2
Release Date October 28, 2022
- Security updates.
4.2.0
Release Date July 6, 2022
- Updated to support WordPress 6.0.
- SiteLock WordPress Plugin provides complete website security management without leaving WordPress.
4.1.0
Release date: November 9, 2020
- Updated to support PHP 7.4 and WordPress 5.5.
- Support for new SiteLock API improvements.
- Better error handling for sites without an active subscription.
- Fixed PHP notices.
- Regained access to our account, so we can continue providing updates!
4.0.5
Release date: April 20, 2017
- Resolved minor PHP warning message.
4.0.4
Release date: December 8, 2016
- Resolves bug with badge settings.
4.0.3
Release date: December 6, 2016
- This release improves compatibility with WordPress 4.7.
4.0.2
Release date: December 3, 2016
- Restores missing file needed for source code scan.