Keeping your WordPress sites secure shouldn’t feel like rocket science — and with WP Umbrella, it doesn’t. This guide walks you through how to leverage our three-pillar security system: Vulnerability Monitoring, Site Health Check, and Security Hardening.
These tools work together to help you identify threats early, fix weak points, and automatically apply protections without compromising your site’s performance.
Estimated Time to Complete: 2 minutes
Prerequisites:
WP Umbrella plugin installed on your WordPress website
Access to your WP Umbrella account
(Optional but recommended) Security Hardening add-on enabled
Next to each WordPress site, you’ll see a Risks label.
Click Risks to dive into your site’s dedicated Security dashboard
Instantly see if any plugins, themes, or the WordPress core have known vulnerabilities. Each entry includes:
Severity level
Update status
Recommended action
This lets you react before attackers can exploit these issues.
This section flags potential security risks related to your hosting environment or WordPress settings that your client can actually see and not understand. WP Umbrella highlights and explains:
SSL certificate status
WordPress & PHP version warnings
Inactive plugins/themes
WP_DEBUG status
You’ll also get actionable recommendations for fixing each issue.
For maximum protection, enable the Security Hardening add-on (powered by Patchstack).
This add-on applies virtual patches, blocks common attack vectors, and eliminates the need for heavy security plugins — without slowing your site down.
Once security hardening is activated, WP Umbrella begins blocking malicious traffic immediately — no need to configure anything.
Here’s everything it protects against automatically:
Features | What It Does | Why It Matters |
Vulnerability Virtual Patching Firewall | Automatically blocks known vulnerabilities in WordPress core/themes/plugins and common attack vectors. | Prevents exploits before updates are applied or released. This helps you to protect your websites from new malwares and common attacks |
Disable Theme/File Editors | Removes built-in editors from the WP admin | Prevents attackers from injecting malicious code (and your clients from doing crazy stuff) |
Block readme.txt / WP version meta | Hides WordPress version info | Avoids being targeted by bots |
Disable User Enumeration | Stops attackers from discovering usernames | Defends against brute-force logins |
Restrict XML-RPC Access | Allows XML-RPC only for authenticated users | Reduces spam and attack surface |
Security Headers | Adds headers like X-Frame-Options, X-XSS-Protection | Defends against clickjacking, XSS, and more |
Block debug.log & sample config files | Prevents access to sensitive information from the debug.log file | Keeps internal configs private |
Disable Index Views | Blocks directory listing | Prevents accidental file exposure |
Block Proxy Comment Posting | Disables comments via third-party services | Reduces spam and abuse attempts |
1. What exactly does Site Protect do?
Site Protect automatically secures your WordPress sites by blocking known vulnerabilities and disabling common attack vectors. It includes virtual patching, hides sensitive information, adds key security headers, and disables risky WordPress behaviors — all with zero performance impact.
Unlike bulky security plugins that often slow down your site or overlap with hosting-level protection, Site Protect is lightweight, silent, and focused on hardening your WordPress environment. It doesn’t run heavy scans or modify your code — it simply prevents known threats from being exploited.
3. What is virtual patching?
Virtual patching protects your site by blocking known vulnerabilities — even before you update the affected plugin or theme. It acts as a safety layer, preventing exploits until an official fix is released and installed.
4. What kinds of attacks does Site Protect block?
Site Protect covers a wide range of common WordPress-specific threats, including:
Exploits in outdated plugins and themes
User enumeration (to prevent username discovery)
Access to readme.txt, license.txt, debug.log, and other sensitive files
Brute-force via XML-RPC
Version disclosure
Proxy comment posting
Clickjacking and XSS (via HTTP headers)
File editor abuse from within wp-admin
5. Can I manually scan my WordPress website for new security risks?
Yes! Just click the "Scan your website" button inside the Security tab.
6. How often does WP Umbrella scan my websites?
We automatically scan every 6 hours—that's 4 times a day!
7. Is this Security Monitoring feature included in my plan?
Absolutely! All these features are included in your monthly subscription — no hidden fees.
8. What should I do if I see multiple vulnerabilities?
Go through each item listed and update your plugins, themes, or WordPress core as needed. If you’re unsure, reach out to our friendly support team!
9. Why is WP_DEBUG important for my site's security?
If WP_DEBUG is enabled on a live site, it can expose sensitive information. WP Umbrella lets you know if it's on so you can disable it when necessary.
Security is no longer something you can set and forget — but with WP Umbrella, it can be simple, automated, and reliable.
Whether you’re managing one website or a hundred, WP Umbrella gives you everything you need to monitor, fix, and prevent security issues — without the clutter of bloated plugins.
