Capability | Included by default | Security add-on |
Vulnerability monitoring (Patchstack database, checked every 6 hours) | ✅ | |
Vulnerabilities grouped by plugin/theme, one-click fixing update, re-scan on demand | ✅ | |
Site Health checks with dismissible security warnings | ✅ | |
Activity Log for platform operations (what happens inside WP Umbrella) | ✅ | |
Uptime, PHP error, and performance monitoring | ✅ | |
Malware scanner | Soon | |
Firewall & virtual patching (blocks exploits before you can update) | ✅ | |
Firewall insights (attacks blocked, top IPs, top rules) | ✅ | |
Security hardening toggles, per site (application + | ✅ | |
Security-Driven Activity Log (attack detections on the sites themselves, with forensics) | ✅ |
Vulnerability monitoring. Every site is checked against Patchstack's vulnerability database every 6 hours. Known issues are grouped by plugin and theme, ranked by severity, and when an update fixes the issue, it's one click away. You also get a resolved counter and on-demand re-scan.
Site Health with dismissible warnings. SSL, WordPress version, WP_DEBUG, inactive plugins and themes, and more. Warnings you've consciously accepted (a PHP version pinned by the host, for example) can be dismissed, so the panel stays a real to-do list.
The platform Activity Log. Who on your team did what inside WP Umbrella, and when.
These are the visibility layers: they tell you what's exposed and what changed. The add-on is the protection layer on top.
Three components, enabled together with sensible defaults:
Firewall & Virtual Patching (powered by Patchstack). Blocks exploitation of known vulnerabilities at runtime, before the fixing update is applied or even released, plus common attack vectors like file access probes and proxy comment spam. The insights view shows you what was blocked, from where, and by which rule.
Security Hardening. Per-site toggles that close the doors attackers try first: user enumeration, XML-RPC and REST API abuse, the built-in code editor, version disclosure, sensitive file access, and more. First batch; more options coming.
The Security-Driven Activity Log. Watches what happens on the WordPress sites themselves and raises detections for attack patterns: brute-force, mass content deletion, privilege escalation, unusual sign-in locations, file integrity, critical settings changes. Every alert carries its evidence: accounts, IPs, timeline.
Price: 2€ / $2 per site per month, on top of your per-site subscription. Per site means you can protect the sites that need it without paying for the ones that don't.
How to enable: in bulk from the main dashboard or the security bulk view, or site by site from the Security tab. Enabling turns on all three components with recommended defaults; every piece can be adjusted per site.
Honesty section. The add-on is not:
A DNS or CDN-level firewall. It works at the PHP level, on the site. It complements (and runs happily alongside) Cloudflare, Sucuri, and hosting-level protections; it doesn't replace DDoS mitigation.
A replacement for updates. Virtual patching buys you time between a vulnerability's disclosure and your update. The durable fix is the update, and WP Umbrella's safe updates (included) are the other half of that workflow.
A replacement for backups. Protection reduces risk; it never makes recovery unnecessary. Backups are included on every account, and they stay your last line of defense.
The scope outgrew the name. Site Protect was virtual patching plus a set of invisible background hardening rules. The Security add-on is three visible components: the firewall, configurable hardening, and the Security-Driven Activity Log.
Nothing on the invoice: same price, 2€/month per site. Your virtual patching never stopped. The new capabilities (the hardening toggles, the firewall insights view, the Security-Driven Activity Log) are included at no extra cost. Visit each protected site's Security tab to check they're switched on and tuned to that site.
No. Everything Site Protect blocked is still blocked. The background hardening rules became visible toggles in the Hardening section (on by default where they were on before), and proxy comment blocking lives in the firewall rules.
Each site has a Security tab with sub-sections: Site Health, Vulnerabilities, Firewall, Hardening, and Activity Log (and soon, malware scanning).
Virtual patching rules and hardening are removed, the helper plugin is uninstalled, and security detections stop. The free layers (vulnerability monitoring, Site Health, the platform Activity Log) keep working. You can re-enable anytime; everything is reapplied immediately.