Full-site scanning
Walks the WordPress filesystem on a schedule you set — daily, weekly, or off — and inspects every PHP, JS, and theme file. Scheduled and manual runs share one queue.
Features
Detection that catches injections hidden in legitimate files.
Walks the WordPress filesystem on a schedule you set — daily, weekly, or off — and inspects every PHP, JS, and theme file. Scheduled and manual runs share one queue.
Anything WordPress accepts as an upload (media, plugin, theme installer) is checked the moment it lands. Malware is blocked and removed before it persists to disk.
Core, plugin, and theme files are compared against canonical upstream bytes. Modified, missing, and extra files are flagged with the exact byte-level delta.
Every scan — manual, scheduled, or upload-triggered — is recorded with what it found, what was cleaned, and how long it ran. Auditable, exportable, never overwritten.
On every detected threat: one button. Modified core, plugin, and theme files are restored to canonical content. Injections in otherwise-legitimate files are removed precisely; the file's legitimate functionality stays intact. No risk of downtime through every cleanup.
After every scheduled scan, Auto-fix removes malicious files and injections automatically, honouring your ignore-lists. Available on every install. Pro lifts the monthly cleanup cap so Auto-fix never stalls mid-month on a busy site.
A single Fix All action resolves every malware finding and every integrity issue in the current scan in one step. Available on every install. Pro lifts the monthly cleanup cap so Fix All never stalls part-way through a batch.
When a file is a modified version of known core, plugin, or theme code, the canonical bytes are fetched and cryptographically signed end-to-end. No guessing, no partial fixes, no tampered replacement bytes.
TOTP, email fallback, recovery codes, trusted devices, per-role enforcement, grace period for rollout. Migration importer pulls 2FA enrolments from competing plugins.
Rate-limited logins, multi-tier lockouts, honeypot, optional hCaptcha. Counters wp-login, XML-RPC, and the REST password-reset paths in one place.
Country gating on login and admin (with a confirm-or-revert lockout guard so you cannot lock yourself out), plus an allow / deny IP firewall with CIDR rules and country filters.
Ten HTTP security headers with cookie hardening defaults, five preset modes, and a Self-Check that grades the site A+ to F across 21 hardening checks with one-click Fix buttons.
Pulls security settings out of Wordfence, AIOS, Sucuri, and Solid Security and applies them on Segurium — IP rules, 2FA enrolments, scan exclusions, lockout policy. Built for buyers moving in, not for buyers worrying about things going wrong.
Every cleanup writes an encrypted copy of the original file to a write-only bucket on the WordPress install before it touches the file. The Backups screen in the plugin admin restores any captured file. The capability is plumbing — the precision of the cleanup itself is what eliminates the risk of downtime.
Self-host operators, hosting partners, and agencies get the same surface as the SaaS — the public detection contract, signed response bodies, and an on-premise mode that keeps file contents on your server.
Full visibility — no payments, no signup, no credit card.
Download from WP.org