WordPress Plugins
GuardPress ForgeCache SiteVault SiteVault Lite SEObolt Royal Links Royal Affiliates FormForge Royal MCP Royal SMTP RoyalComply Royal Access Royal Ledger
Free Tools
SERP Preview Schema Validator Meta Tag Checker SSL Checker HTTP Headers Site Scanner Plugin Scanner Royal Links (Chrome) Royal Access (Chrome)
Pricing Blog Case Studies Switch to Royal Plugin Graveyard Support My Account Cart
Version: 1.6.25

GuardPress Pro — Complete WordPress Security Plugin

WordPress-native firewall, malware scanner, two-factor authentication, brute force protection, file integrity monitoring, outdated software check, and real-time activity logs. 15+ protection modules, 30-day audit trail, and no required cloud dependency — everything runs on your server. No outbound scanning queue, no Wordfence Premium delay, no Sucuri subscription.

90% of hacked CMS sites run WordPress. GuardPress is built to keep yours out of the 90%.
By Jameson · Founder & Lead Developer
Firewall (WAF)
Malware Scanner
2FA Login
Brute Force
24/7 Monitoring
$99 $59 / Year (Save $40)

1 Site

  • Firewall (WAF) & malware scanner
  • Outdated software check
  • Two-factor authentication
  • Brute force protection & activity logs
Buy Now
Buyer Protection
1 Year Updates
Priority Support
security security passed passed Code Scanned
30 Days Money Back Guarantee
Why Security Matters

Protect What You've Built

WordPress powers over 40% of the web, making it the biggest target for hackers. Every 39 seconds, a website is attacked somewhere on the internet. Without proper protection, your site is vulnerable to malware, data theft, and devastating SEO penalties.

Google blacklists over 10,000 websites daily for malware. Getting hacked doesn't just cost you data—it destroys visitor trust, tanks your rankings, and can take months to recover from. Prevention is infinitely easier than cleanup.

30K+ WordPress sites hacked every day worldwide
94% of hacked sites see significant SEO ranking drops
$200K average cost of a data breach for small businesses

Without GuardPress

  • Vulnerable to malware such as backdoors, cryptominers, and SEO spam injections
  • Constant brute force login attempts
  • According to Patchstack, 97% of WordPress vulnerabilities come from plugins in 2025. No idea if site is compromised
  • Complex security configurations
  • Sleepless nights worrying

With GuardPress

  • Protected by intelligent firewall — for example, blocking SQL injection, XSS, and file inclusion attacks
  • Brute force attacks blocked automatically
  • Real-time malware detection & alerts
  • One-click setup, zero config needed
  • Peace of mind, finally

Great content and SEO work mean nothing if your site gets hacked. Security is the foundation everything else is built on.

Every Protection

24+ protection modules. No add-ons.

Here's the complete list of what GuardPress Pro ships with, grouped by what each one defends.

Core Protection 6

  • Brute force attack protection
  • Two-factor authentication (TOTP)
  • Spam protection (comments & forms)
  • Malware scanner with 20+ signatures
  • File integrity monitoring
  • Downtime & uptime monitoring

WAF & Detection 6

  • Web application firewall
  • SQL injection detection (UNION / time / stacked / file)
  • XSS attack blocking
  • SSRF & dangerous-scheme protection
  • Rate limiting / request flood prevention
  • IP block / whitelist / country block

Login Hardening 6

  • Login page CAPTCHA (Turnstile / math)
  • Custom login URL (hide /wp-login.php)
  • Per-role 2FA enforcement
  • Failed-login lockout
  • Login notifications
  • Emergency lockdown switch

Monitoring & Audit 5

  • Activity / audit log of every change
  • Real-time traffic monitoring
  • Email security alerts
  • Security dashboard with score
  • Dashboard widget summary

Hardening & Headers 5

  • Security headers (CSP, HSTS, X-Frame-Options)
  • Force strong passwords
  • XML-RPC protection
  • Disable file editing
  • Hide WordPress version & signatures

Updates & Compliance 3

  • Outdated software check (core / plugins / themes)
  • Database security scanner & cleanup
  • Core file verification
See It In Action

Powerful Protection, Simple Interface

Intelligent Firewall

Our Web Application Firewall (WAF) analyzes every request before it reaches your site. Malicious traffic is blocked instantly, legitimate visitors pass through seamlessly.

  • Real-time threat detection
  • SQL injection protection
  • XSS attack prevention
  • Zero performance impact
  • Doesn't block search engine crawlers
GuardPress Pro Firewall Dashboard

Malware Scanner

Deep scanning technology checks every file on your WordPress installation. Known malware signatures and suspicious patterns are detected and reported instantly.

  • Scheduled automatic scans
  • File integrity monitoring
  • Core file comparison
  • Detailed threat reports
GuardPress Pro Malware Scanner

Login Protection & 2FA

Stop brute force attacks cold. Intelligent rate limiting, CAPTCHA integration, and two-factor authentication keep unauthorized users out permanently.

  • Brute force blocking
  • Two-factor authentication (TOTP)
  • Login CAPTCHA protection
  • Login attempt logging
GuardPress Pro Login Protection

Real-Time Monitoring

Know exactly what's happening on your site at all times. Activity logging tracks every action, while uptime monitoring alerts you instantly if something goes wrong.

  • Complete activity logging
  • Uptime monitoring
  • Email security alerts
  • User action audit trail
GuardPress Pro Activity Log

WordPress Dashboard Widget

See your security status at a glance right from the WordPress dashboard. No need to navigate to the security pages—your protection level is always visible.

  • Security score at a glance
  • Threat and vulnerability count
  • Color-coded status indicators
  • Quick link to full dashboard
GuardPress WordPress Dashboard Widget

IP Whitelisting & Blocking

Take full control of who can access your site. Whitelist trusted IPs for guaranteed access, or block malicious IPs and entire ranges with one click.

  • IP whitelist for trusted users
  • Block individual IPs or ranges
  • Country-based blocking
  • Auto-block repeat offenders
GuardPress Pro IP Management

Outdated Software Check

Catches the low-hanging fruit attackers look for: pending core/plugin/theme updates, abandoned plugins, insecure TimThumb/debug.log/config-backup patterns, and hardening misconfigurations (weak admin username, WP_DEBUG on, file editing enabled, SSL missing, user enumeration open).

  • Pending update alerts (core, plugins, themes)
  • Abandoned-plugin detection
  • Hardening misconfiguration checks
  • Actionable fix suggestions
GuardPress Pro Outdated Software Check

Comprehensive Settings

Fine-tune every aspect of your security. From hardening options to notification preferences, you're in complete control with our intuitive settings panel.

  • Security hardening toggles
  • Email alert configuration
  • Custom security headers
  • Rate limiting controls
GuardPress Pro Settings
What We Block

The attacks GuardPress actually catches

Real attack signatures, not generic claims. The detection engine was rewritten in 1.6.18 to use grammar-based matching — so legitimate content with the words “select” and “from” in the same string passes, while a stacked-query injection at /wp-admin/admin-ajax.php gets blocked.

7
SQLi vector classes detected
20+
Malware signatures shipped
5
Private network ranges blocked from SSRF
100%
Server-side — no cloud dependency
🛡

SQL Injection

Grammar-based matching, not greedy keyword pairs. Catches all 7 classical injection vectors without false-positiving SQL tutorials or comments.

  • UNION-based with whitespace
  • Boolean tautology with end markers (--, ;, /*)
  • Stacked queries with semicolons
  • Time-based: sleep(), benchmark()
  • File functions: LOAD_FILE, INTO OUTFILE
  • information_schema enumeration
🚧

XSS & Script Injection

Cross-site scripting attempts in URL params, headers, POST bodies, and cookie values — matched against known reflected and stored XSS patterns.

  • Reflected XSS in GET / POST
  • Stored XSS payloads
  • DOM-based vector strings
  • Event-handler injection
  • JavaScript URI schemes
🔒

SSRF & Dangerous Schemes

Server-side request forgery attempts and dangerous URL schemes are blocked unconditionally — even when a URL shortener plugin is active.

  • file://, php://, data: schemes
  • Loopback: 127.0.0.1 / localhost
  • Private nets: 10.x / 192.168.x / 172.16-31.x
  • Link-local: 169.254.x (cloud metadata)
  • Always runs (post-1.6.19)
🔑

Brute Force & Credential Stuffing

Always-on protection independent of CAPTCHA — even if a token is missing, the lockout still fires.

  • Failed-login rate limiting
  • IP-level lockout after N attempts
  • Username enumeration block
  • Application Password & XML-RPC paths covered
  • WooCommerce / BuddyPress / MemberPress login surfaces
🐛

Malware & File Tampering

Deep file scanning catches code patterns and signatures, while file integrity monitoring flags any unexpected change to core, plugin, or theme files.

  • 20+ malware signatures
  • Suspicious code-pattern matching
  • Core file verification (vs WP.org checksums)
  • Real-time file change alerts
  • Database scanner for poisoned records
🚫

Bot & Bad Traffic

Country-level blocking, IP allow / deny, and rate limiting keep low-quality and abusive traffic away before it reaches WordPress.

  • Country-based blocking
  • IP block / whitelist
  • Request rate limiting
  • XML-RPC abuse protection
  • Spam comment / form filtering

All blocking happens server-side at plugins_loaded:20, before WordPress dispatches a single hook. No outbound scanning queue, no Wordfence-style 30-day rule delay.

Compare

Free vs Pro

Not sure which version is right for you? Compare all features side-by-side to find the perfect fit for your WordPress security needs.

Free Basic firewall, limited scans
Pro Full protection, 2FA, monitoring
View Full Comparison →
Easy Migration

Switching from Wordfence?

One-click migration imports your IP blocklists, login settings, and notification preferences. No data lost, no downtime.

1

Install GuardPress

Install and activate alongside your current plugin.

2

Auto-Detect

GuardPress finds your Wordfence, Sucuri, or Solid Security data automatically.

3

One-Click Import

Preview what transfers, then import with one click.

✓ Wordfence ✓ Sucuri ✓ Solid Security

What Transfers

  • IP blocklists (permanent & temporary)
  • Login security settings
  • Email notification preferences
  • Ban lists with reasons

Stays Behind

  • Firewall learning data
  • Scan results
  • Live traffic history
Learn More About Switching →
Side by Side

GuardPress Pro vs the paid security plugins

All four major paid WordPress security plugins, compared on the protections that matter most.

Feature ProGuardPress PremiumWordfence PlatformSucuri ProiThemes Security PremiumAll-In-One WP Security
Web application firewall Partial
Real-time firewall rules (no 30-day delay) × 30-day delay ×
Malware scanner Basic
Two-factor authentication ×
Per-role 2FA enforcement × × Partial ×
SSRF & dangerous-scheme protection × Cloud-only × ×
File integrity monitoring
Outdated software check Partial × × ×
Activity / audit log Limited ×
Country-based blocking × ×
Security headers (CSP / HSTS / X-Frame) × CDN-only Partial
Uptime monitoring × × ×
Runs without cloud dependency Partial ×
Yearly cost (1 site) $59 $149 ~$200–$500 ~$80 ~$70
Yearly cost (5 sites) $149 $745 ~$1,000–$2,500 ~$200 ~$280

Pricing accurate as of May 2026. Tier names and exact pricing change — check vendor sites for current details. “Partial” means the feature exists in the plugin but is limited or requires an add-on; “CDN-only” means the feature is delivered through a paid CDN tier rather than the plugin itself.

vs Wordfence in detail vs Sucuri in detail Free vs Pro

25+

Security Features

99.9%

Attack Prevention

24/7

Monitoring

100%

WP Compatible

Who It's For

Tuned for the way your site actually gets attacked

Same plugin, different threat models. Pick the angle that matches what you protect.

Bloggers & Personal Sites

Set-and-forget protection

Brute force lockout, 2FA on the admin account, malware scanner, and outdated software check. Configured once, alerts you only when something actually matters.

  • 2FA on the admin user
  • Brute force protection
  • Custom login URL
  • Email alerts for real threats
  • Outdated plugin check
Suggested tier: 1 Site — $59/yr

E-commerce & WooCommerce

PCI-conscious hardening

Bot blocking and rate limiting at the WAF, file integrity monitoring on payment-handling plugins, and security headers (CSP / HSTS) that pass payment-processor security scans.

  • WAF + rate limiting against checkout abuse
  • Country-based blocking for high-fraud regions
  • CSP / HSTS / X-Frame for PCI checks
  • File integrity on cart & payment files
  • 2FA on shop manager / admin roles
Suggested tier: 1 or 5 Sites — $59–$149/yr

Membership & SaaS

Granular role & audit

For sites where users log in. Per-role 2FA enforcement, full activity log, login notifications, and CAPTCHA that works on WooCommerce / MemberPress / BuddyPress login surfaces (not just wp-login).

  • Per-role 2FA enforcement
  • Full audit log of every change
  • Login notifications to admins
  • CAPTCHA on every login surface
  • Application Password & XML-RPC controls
Suggested tier: 5 Sites — $149/yr

Agencies

100 sites, one license

One $299/yr license activates GuardPress on up to 100 client sites. Same dashboard widget on every install — check security score across the portfolio without logging into each site.

  • 100 sites for $299/yr
  • Per-site dashboard widget summary
  • Email alerts grouped by site
  • No outbound cloud dependency
  • Drop-in deploy across new clients
Suggested tier: 100 Sites — $299/yr

30-Day Money-Back Guarantee

If you aren't happy with our plugins, our features, or our support, reach out to our support team and request a refund within 30 days of your original purchase for a full refund.

View Refund Policy →
FAQ

Common Questions

No. GuardPress is built with performance in mind. The firewall operates at the application level with minimal overhead, and all scans run in the background without affecting page load times.
We recommend using only one security plugin to avoid conflicts. GuardPress includes a migration wizard that imports your IP blocklists, login settings, and notification preferences from Wordfence, Sucuri, or Solid Security before you deactivate the old plugin.
Yes! GuardPress is optimized for shared hosting environments. It requires minimal server resources and works with PHP 7.4+ on any standard WordPress hosting.

Yes — and the 1.6.17 patch was specifically about this. Older versions called session_start() on every init hook, which forced a no-store Cache-Control header on every response and silently neutralized Cloudflare, FastCGI cache, ForgeCache, and WP Rocket. 1.6.17+ scopes session start to wp-login.php only, so caching layers (WP Rocket, LiteSpeed, W3 Total Cache, ForgeCache, Cloudflare APO) work the way they should.

No. The CAPTCHA renders on every login surface (WooCommerce /my-account/, BuddyPress, bbPress, MemberPress, RCP, Paid Memberships Pro, theme login forms, page builder login widgets) — not just wp-login.php. REST API basic auth, Application Passwords, and XML-RPC fail-open if no token is present so your headless / mobile / API clients aren't broken. Brute-force lockout still applies to all surfaces.

Two recovery paths: (1) the IP unblock list in the admin lets you remove a blocked IP in one click, (2) if you're locked out of the admin entirely, deactivate the plugin via FTP or your host's file manager — settings persist, so reactivation restores everything. The 1.6.18 SQL detection rewrite specifically targets false-positive reduction; pre-1.6.18 patterns were too greedy and caught legitimate content.

Format-aware. When a request is blocked, GuardPress detects whether it's a REST call (/wp-json/ or ?rest_route=), an AJAX request, an XML-RPC payload, or a cron run, and emits a JSON / XML / plain-text 403 instead of an HTML page. Pre-1.6.18 every block returned HTML, which broke headless clients and tripped the rate limiter on retries.

Three tiers: 1 Site ($59/yr), 5 Sites ($149/yr), 100 Sites ($299/yr). Same license key activates GuardPress on each site. Deactivate from the admin to free up a slot — staging-to-production moves are one click.

The plugin keeps protecting your site indefinitely — nothing turns off. You stop receiving updates and new firewall / detection rules. Renew anytime to resume updates. Unlike Wordfence Premium, there's no 30-day delay on rules either way.

30-day money-back guarantee. Email support within 30 days of purchase for a full refund — no questionnaire. Full refund policy →

Everything runs on your own server. The firewall, malware scanner, file integrity monitor, and audit log all execute locally and store data in your WordPress database. No outbound scanning queue, no cloud upload of file contents, no visitor data leaves your site for core protection. The only outbound calls are optional: license validation and the outdated software check (which queries WP.org's plugin directory, not your file content).

Three big ones: (1) no 30-day delay on firewall rules — new rules ship as soon as the plugin updates, (2) less than half the price for 1 site ($59 vs $149), (3) per-role 2FA, security headers, SSRF protection, outdated software check, and uptime monitoring are all built in — not extras or absent. Full comparison →

Resources

Learn, harden, recover

Articles, docs, and a place to get help.

📚

From the blog

📝

Documentation

🔧

Free tools

"The best security is the kind you never think about—because it simply works, silently protecting you in the background."

Get GuardPress Pro

GuardPress Pro

Version 1.6.25
PASSED
Scan Date May 22, 2026
Files Scanned 45
Lines of Code 23,847
Scan Engines Regex, PHPCS
Learn about our security methodology →