Site Protect is WP Umbrella’s all-in-one security hardening add-on, powered by Patchstack. It offers advanced protection for your WordPress sites by blocking known vulnerabilities and common attack methods — all without affecting your site’s performance or requiring complex setup.
This guide explains what Site Protect does, how it works, and how to enable it in just a few clicks.
Estimated Time to Complete: 1–2 minutes
Prerequisites:
WP Umbrella plugin installed and activated on your WordPress site
Access to your WP Umbrella account
Active Site Protect add-on (+2$/month)
Site Protect secures your site with real-time virtual patching and WordPress-specific hardening techniques. It prevents known vulnerabilities from being exploited — even if a plugin or theme hasn’t been updated yet — and silently closes many common security gaps in the background.
You get enterprise-grade protection across all your client sites, without needing to install multiple plugins or manually configure anything.
No code changes No performance impact No maintenance headaches
Features | What It Does | Why It Matters |
Vulnerability Virtual Patching Firewall | Automatically blocks known vulnerabilities in WordPress core/themes/plugins and common attack vectors. | Prevents exploits before updates are applied or released. This helps you to protect your websites from new malwares and common attacks |
Disable Theme/File Editors | Removes built-in editors from the WP admin | Prevents attackers from injecting malicious code (and your clients from doing crazy stuff) |
Block readme.txt / WP version meta | Hides WordPress version info | Avoids being targeted by bots |
Disable User Enumeration | Stops attackers from discovering usernames | Defends against brute-force logins |
Restrict XML-RPC Access | Allows XML-RPC only for authenticated users | Reduces spam and attack surface |
Security Headers | Adds headers like X-Frame-Options, X-XSS-Protection | Defends against clickjacking, XSS, and more |
Block debug.log & sample config files | Prevents access to sensitive information from the debug.log file | Keeps internal configs private |
Disable Index Views | Blocks directory listing | Prevents accidental file exposure |
Block Proxy Comment Posting | Disables comments via third-party services | Reduces spam and abuse attempts |
When you enable this add-on, here’s what happens:
A lightweight helper plugin (powered by Patchstack) is installed automatically.
It monitors your site at the PHP level and blocks known vulnerabilities and attack patterns.
Security rules are continuously updated from Patchstack’s threat database.
No files are modified and there’s zero impact on your frontend speed.
All protections are activated instantly — just toggle it on, and you’re done.
You have two options:
Click on the “News: Site Protect” block in the left-side menu.
Confirm the number of sites and total monthly cost.
Click “Protect All Sites” to start the plugin installation and get your sites protected.
Go to the Security tab of a specific website.
Toggle the protection on.
Site Protect is an advanced security hardening add-on that protects your WordPress sites in two main ways:
1. Virtual Patching: It blocks known plugin, theme, and core vulnerabilities before updates are applied — acting as a safety net.
2. Security Hardening Rules: It disables or hides common WordPress features that are often exploited by bots or attackers.
This includes everything from blocking access to sensitive files like readme.txt and debug.log, to adding smart HTTP headers that prevent XSS and clickjacking attacks.
Most security plugins rely on bulky scanning engines, firewalls, or malware detection tools. They often:
Add database overhead
Create false positives
Slow down your site
Require configuration
Site Protect does none of that.
It’s lightweight, silent, and doesn’t touch your code. It runs at the PHP level and blocks specific behaviors before they can be exploited — making it ideal for high-performance sites and agencies managing many clients.
Think of it as a modern, minimalist alternative to bloated security plugins.
No. Site Protect was built to be fast and efficient. The helper plugin doesn’t scan files or process large datasets — it simply blocks known patterns at the PHP execution level.
Performance impact is effectively zero, even across hundreds of sites.
Virtual patching is like applying a temporary fix without changing any code. Let’s say a plugin has a critical vulnerability, but the developer hasn’t released an update yet — or you can’t update right away because of client constraints. Virtual patching blocks the exploit at runtime, protecting your site while you wait to update.
It buys you time, reduces stress, and adds a critical layer of defense between you and the bad guys.
Here are some examples of what Site Protect stops automatically:
User enumeration attacks via ?author=1, XML-RPC, and REST API
Exploitation of unpatched plugin/theme vulnerabilities
Clickjacking and XSS via HTTP response headers
Brute-force attempts through exposed endpoints like XML-RPC
File access probes like readme.txt, license.txt, debug.log, etc.
Proxy comment spam from third-party tools and scripts
Targeted version-based exploits, thanks to hidden WP version info
Not at all. Just toggle the add-on on from the WP Umbrella dashboard, and Site Protect does the rest. All protection rules are applied instantly and automatically. There’s nothing to install, no settings to tweak, and no “tech skills” required.
Site Protect updates itself automatically. We sync with Patchstack’s real-time vulnerability database, which is continuously updated by their team of researchers and ethical hackers. You always get the most recent virtual patches and hardening rules without lifting a finger.
Yes, Site Protect is designed to be non-conflicting.You can use it with:
Hosting-level firewalls (like Cloudflare or Sucuri)
Security monitoring tools (like WP Activity Log)
Other plugins, if needed
However, many users find they can replace traditional security plugins entirely with Site Protect, since it covers most real-world attack vectors without the extra weight.
Yes! Just go to the Risks tab of any connected site in your WP Umbrella dashboard. There, you’ll see:
Total blocked threats
The types of attacks that were stopped
Originating IP addresses
Dates and times
This real-time reporting gives you full transparency — so you can show clients exactly how you're protecting their websites.
If you disable Site Protect:
All virtual patching and hardening rules are removed
The helper plugin is uninstalled from your site
Your site becomes reliant on plugin/theme/core updates for protection
You can re-enable Site Protect anytime, and all rules will be applied immediately with no setup needed.
Site Protect gives you peace of mind by applying expert-level security hardening with one click. It reduces your attack surface, blocks exploits, and keeps your sites protected — so you can focus on what matters most: delivering value to your clients.
