Features

Detect. Clean. Harden. Move in.

Detection that catches injections hidden in legitimate files.

Find what's there, including the parts hidden in legitimate files

Full-site scanning

Walks the WordPress filesystem on a schedule you set — daily, weekly, or off — and inspects every PHP, JS, and theme file. Scheduled and manual runs share one queue.

Real-time upload scanning

Anything WordPress accepts as an upload (media, plugin, theme installer) is checked the moment it lands. Malware is blocked and removed before it persists to disk.

Integrity scan against canonical content

Core, plugin, and theme files are compared against canonical upstream bytes. Modified, missing, and extra files are flagged with the exact byte-level delta.

Scan history

Every scan — manual, scheduled, or upload-triggered — is recorded with what it found, what was cleaned, and how long it ran. Auditable, exportable, never overwritten.

Cleanup that doesn't break the site is not free in most competitors

Service quota — Free 3 / 30d, Pro unbounded

One-click cleanup

On every detected threat: one button. Modified core, plugin, and theme files are restored to canonical content. Injections in otherwise-legitimate files are removed precisely; the file's legitimate functionality stays intact. No risk of downtime through every cleanup.

Auto-fix on every scan

After every scheduled scan, Auto-fix removes malicious files and injections automatically, honouring your ignore-lists. Available on every install. Pro lifts the monthly cleanup cap so Auto-fix never stalls mid-month on a busy site.

Bulk Fix All

A single Fix All action resolves every malware finding and every integrity issue in the current scan in one step. Available on every install. Pro lifts the monthly cleanup cap so Fix All never stalls part-way through a batch.

Canonical-content restoration, signed end-to-end

When a file is a modified version of known core, plugin, or theme code, the canonical bytes are fetched and cryptographically signed end-to-end. No guessing, no partial fixes, no tampered replacement bytes.

The defaults you expected for free, on every install

Two-factor authentication

TOTP, email fallback, recovery codes, trusted devices, per-role enforcement, grace period for rollout. Migration importer pulls 2FA enrolments from competing plugins.

Brute-force protection

Rate-limited logins, multi-tier lockouts, honeypot, optional hCaptcha. Counters wp-login, XML-RPC, and the REST password-reset paths in one place.

Geo-blocking + firewall

Country gating on login and admin (with a confirm-or-revert lockout guard so you cannot lock yourself out), plus an allow / deny IP firewall with CIDR rules and country filters.

Security headers + Self-Check grade

Ten HTTP security headers with cookie hardening defaults, five preset modes, and a Self-Check that grades the site A+ to F across 21 hardening checks with one-click Fix buttons.

Land softly, recover quietly

Migration importer

Pulls security settings out of Wordfence, AIOS, Sucuri, and Solid Security and applies them on Segurium — IP rules, 2FA enrolments, scan exclusions, lockout policy. Built for buyers moving in, not for buyers worrying about things going wrong.

Pre-cleanup encrypted backup

Every cleanup writes an encrypted copy of the original file to a write-only bucket on the WordPress install before it touches the file. The Backups screen in the plugin admin restores any captured file. The capability is plumbing — the precision of the cleanup itself is what eliminates the risk of downtime.

Run it your way

Self-host operators, hosting partners, and agencies get the same surface as the SaaS — the public detection contract, signed response bodies, and an on-premise mode that keeps file contents on your server.

Find hidden malware with Segurium

Full visibility — no payments, no signup, no credit card.

Download from WP.org