Managed WAF
Rule sets curated for WordPress and WooCommerce. XML-RPC abuse, REST endpoint scraping, plugin-specific exploits, SQLi, XSS, patched within hours of disclosure.
Platform · Security
Defended at every layer.
Tuned for WordPress.
A managed Web Application Firewall built around WordPress's real attack surface, daily malware scanning with automatic clean-up, brute-force protection, free SSL on every domain, and container-isolated sites, included on every plan.
1.2M+
Malicious requests blocked
across the fleet, daily
Daily
Malware scans + clean-up
with auto-quarantine
Free
SSL on every domain
auto-renewed forever
Per-site
Container isolation
no shared filesystem
Defense in depth
Six layers, all working together.
No single line of defense. Each layer assumes the others might fail.
Malware scan + clean-up
Every site is scanned daily against a curated WordPress malware corpus. Detected files are auto-quarantined and our team cleans the site without you opening a ticket.
Brute-force protection
wp-login, XML-RPC and REST auth endpoints are rate-limited and IP-throttled. Repeated failed attempts trigger temporary network-level blocks.
Free SSL, every domain
Let's Encrypt provisioned and auto-renewed for every primary domain, alias and subdomain. HTTP/3, TLS 1.3 and HSTS by default.
Continuous coverage
Always watching, even when you aren't.
24/7 proactive monitoring
Anomalous traffic, error spikes, and integrity changes alert our on-call engineers. Most incidents are contained before customers notice.
DDoS absorption
Anycast network with multi-Tbps capacity. Layer 3/4 floods are absorbed at the edge, your origin never sees them.
Auto-updates with rollback
WordPress core is updated automatically, and rolled back instantly if a regression is detected on your site.
Managed WAF
A firewall that knows WordPress.
Generic WAFs (the ones bundled with most CDNs) catch SQLi and XSS but miss the things that actually compromise WordPress sites, vulnerable plugins, REST endpoints, XML-RPC abuse. Ours is curated specifically for the WordPress ecosystem.
See a recent rule updateWordPress core CVEs
Patched at the WAF before you've updated. We backport rules within hours of public disclosure.
Plugin & theme exploits
Virtual patches for the top 200 vulnerable plugins. Even an out-of-date plugin is shielded from the known exploit.
Admin & login hardening
Rate-limit /wp-login.php and XML-RPC. Block known credential-stuffing dictionaries.
WooCommerce abuse
Card-testing, coupon enumeration and inventory-scraping detection, patterns specific to e-commerce.
Malware response
From injection to clean, without a ticket.
Most hosts will scan your site. We scan, quarantine, restore, and tell you about it after.
01
Daily integrity scan
Every file is hashed and compared against a known-good baseline plus a curated WordPress malware signature database.
02
Auto-quarantine
Suspicious files are moved to an isolated location within seconds of detection. The injection stops affecting visitors immediately.
03
Restore + clean
We restore clean files from the most recent unaffected hourly snapshot and patch the entry point. Usually done within 30 minutes.
04
Post-incident review
You get a short report, what was injected, how it got in, what we patched, and what (if anything) needs your attention.
Vs. the usual suspects
Most hosts sell security. We do it.
| Capability | WP Tango | Kinsta | WP Engine | Generic shared |
|---|---|---|---|---|
| Managed WAF tuned for WordPress | ||||
| Plugin-specific virtual patching | ||||
| Daily malware scanning | ||||
| Free clean-up if compromised | ||||
| Free SSL on every domain & alias | ||||
| Container isolation per site | ||||
| DDoS absorption included |
Frequently asked questions
Security, plainly explained.
What our team handles 24/7 so you don't have to.
Defense, not a dashboard
Sleep easier. We're already watching.
WAF, malware scan, brute-force protection, SSL and DDoS, included on every plan, monitored by humans 24/7.
1.2M+
Daily blocks
< 30 m
Median clean-up
Free
SSL forever
24/7
Eyes on every site