16-signal bot detection · CVE auto-rules · hidden login URL · security headers auto-fix · SSL monitor · Stack Health audit · 1-click wp-admin auto-login · weekly Risk Score digest. When one site in the network is attacked, every site is protected within minutes.
Free plan · No credit card · 30-second account setup
Real numbers from production · refreshes every 30 seconds
66,829
Attacks blocked (all time)
26,858
Attacks blocked (24h)
24
Sites in network
1,102
Confirmed bad IPs
3,623
AI bots seen (24h)
46
Countries attacking (24h)
You're paying for plugins that slow your site, lock features behind upsells, and leave each install fighting alone.
Wordfence ships 25+ MB of code and runs 40+ checks on every page load. Your visitors pay for it in latency.
When attacks hit, Under Attack Mode challenges every visitor — including buyers and search bots. You lose conversions and rankings.
When an attacker hits site A, site B doesn't hear about it. Same IPs, same patterns, same wasted CPU on every site.
Every Shield site contributes to a real-time threat feed. Every Shield site receives it. The more sites that join, the smarter the network becomes.
Shield's 16-signal engine scores it 87/100, blocks it locally, and reports the IP + signals to the network hub.
False positives get filtered out. Once 2+ independent sites report the same IP within 24 hours, it's confirmed.
Premium sites receive a real-time push (sub-second). Free sites pull the consensus feed every hour.
Next time that IP probes any site in the network, it gets blocked instantly — without spending a single CPU cycle on detection.
Every site sees the same Humans / Crawlers / AI scrapers / SysWP / Bots / Attacks breakdown. The network surfaces which AI bots are visiting your sites — so you decide whether to keep feeding them or block them with one click.
Most security plugins ship "a malware scan." We ship four — each tuned to a different threat surface, gated to the right tier so you don't pay for capacity you don't need.
Watches the 10 most-attacked WP files (wp-config.php, .htaccess, index.php, core boot files). Detects unauthorized changes within 5 minutes — catches 80% of compromise patterns.
Hashes every PHP/JS file in wp-includes + wp-admin against the official WordPress.org checksums. Catches modified, missing, and extra core files — backdoor implants nobody else sees.
Regex pattern scan on flagged files (eval, base64_decode, gzinflate, webshells). Cross-site signature network: when 5+ Shield sites flag the same SHA, AI auto-curates a network-wide block.
Confirmed-bad files quarantined automatically (chmod 600, moved out of web root). Monthly compliance PDF with chain-of-custody for client reporting and post-incident forensics.
Each layer is independently togglable. Most plugins make you pay Pro to even SEE that you have a problem — Shield's Layer 1 detects compromise on the FREE tier. Pay only for the deeper scans you actually need.
The full 16-signal firewall + threat-intel network + Risk Score + audits are in the FREE plan (3 sites). Paid tiers add 1-click hardening: hidden login URL, security headers auto-fix with HSTS phased rollout, SSL email/SMS alerts, CVE auto-rules pushed in real-time when vulnerabilities drop, and weekly digest with per-site detail.
16 weighted signals: empty/bad UA, fake crawlers, 404 storms, header fingerprints, coordinated patterns, TLS anomalies, and more.
Superadmin-curated firewall rules pushed to every site, validated by AI red-team + sandbox replay before canary rollout. Battle-tested rules from real attack traffic, not synthetic.
4500+ WP-core files hashed against WordPress.org checksums. Detects modified, missing, and EXTRA files — the classic backdoor signature most plugins miss.
See exactly what hits your site: Humans, Search crawlers, AI scrapers, SysWP probes, Bots and Attacks — with hourly history. The number every site owner secretly wanted but no plugin showed.
GPTBot, ClaudeBot, CCBot, PerplexityBot, Bytespider and 16 more — split into Training, Search and User-initiated families. Block by family with one toggle each, see real-time hit counts.
Googlebot, Bingbot, Facebook, Apple etc. are verified by reverse + forward DNS before they bypass your firewall — protecting your SEO and OG previews from heuristic false positives.
Catches slow requests >30s and slow cron events >60s with per-hook breakdown (Yoast indexable check, Action Scheduler, plugin-with-broken-cron). Most security plugins are blind to performance — Shield treats them as one problem.
Known-clean IPs (score < 20 in 60s) skip every detection layer. Your real users feel zero overhead.
When traffic spikes 3× over baseline, thresholds tighten and rate limits halve automatically. Manual override with cooldown.
5-level reputation system. Clean → watched → challenged → throttled → blocked. Auto de-escalation when behavior improves.
TOTP + 10 single-use recovery codes per user (FREE). Per-role mandatory + grace period (Starter+). SaaS-side recovery for locked-out admins (Pro+). No third-party 2FA plugin needed — same plugin handles it all.
Low-traffic sites no longer flicker offline. The SaaS pings silent sites every 5 min and forces an instant heartbeat — a problem most security plugins quietly ignore.
Rate limits and firewall rules can target specific ISO country codes via Cloudflare/GeoIP headers.
A bidirectional curated-rules system. Top-down: SysWP-curated rules validated by AI + sandbox before canary deploy. Bottom-up: your custom rules surfaced in our inbox — if great, promoted network-wide and you earn a month of higher tier.
When SysWP detects a new attack pattern, we draft a firewall rule, validate it (sandbox replay against 12 benign-traffic fixtures + AI red-team via Claude), then deploy via canary 10% → 100%.
/admin/network-rulesEvery Shield plugin ships its locally-defined rules to our SaaS inbox. We dedup by content hash — if 47 users have the same rule, we see ONE inbox item with a 47× badge. Promote → contributor gets 1 month of higher tier free.
Every contribution makes the network smarter. Every curated rule protects every Starter+ site automatically. The protection level you get scales with the network — and the network grows because contributors get rewarded.
Live blocked-IP feed, per-site stats, threat intelligence, audit log, and PDF reports — all updated in real time.
Native WP-admin UI. No iframes, no React bundles, no JavaScript dashboards loaded into your wp-admin. Once connected, cached rules keep enforcing even during brief SaaS hiccups.
Behavioral firewall — last 24 hours
A 60-second cron is a security signal. So is a 30-second response time. So is the same IP triggering 3 slow requests in a row. Shield captures all of them — natively.
Per-hook timing of every wp-cron event. When total cron > 5s, log per-hook breakdown. Reveals which scheduled job (Yoast indexable check, Action Scheduler queue, plugin-with-broken-cron) is causing pile-ups.
Alerts when ANY request exceeds your defined budget — slow query (>5s), slow request (>30s), memory peak (>256MB), slow cron (>60s). Same alert channel as security events.
Every block carries structured response headers — no guessing why the 403 fired. Plug into any external observability stack (n8n, Datadog, mod_security, your custom log analyzer).
Trap routes (/.env, /phpmyadmin/, /wp-config.bak) that any IP hitting = guaranteed bot. Opt-in.
Auto-detects WP Engine, Kinsta, Cloudways via WP constants. Recommendations adjust accordingly.
Manual heartbeat trigger from wp-admin — instant verification of SaaS connectivity.
Every request flows through this pipeline. Most legitimate visitors short-circuit at step 1.
Recently-clean IPs (score < 20 in last 60s) skip the rest. Most page loads end here.
16 signals analyzed: UA, headers, velocity, patterns, TLS, cookies, network behavior. Combined into a 0-100 score.
Custom rules + rate limits evaluated. Country filters, regex matching, and behavioral conditions.
Block, throttle, challenge, or log. Progressive escalation ensures repeat offenders get harsher responses.
A truthful side-by-side with the most popular WordPress security plugins.
| Feature | SysWP Shield | Wordfence | Sucuri | iThemes |
|---|---|---|---|---|
| Cross-site threat intelligence | ✓ | ✗ | Partial | ✗ |
| Behavioral bot detection signals | 16 | Basic | ✓ | Basic |
| Fast path for clean visitors | ✓ | ✗ | ✗ | ✗ |
| Progressive escalation levels | 5 | ✗ | ✗ | ✗ |
| Attack mode auto-response | ✓ | ✗ | Paid | ✗ |
| Country-based rules | ✓ | Paid | ✓ | Paid |
| Two-factor auth (built-in, FREE) | ✓ | ✗ | ✗ | Paid |
| Per-role mandatory 2FA + grace period | ✓ | ✗ | ✗ | Paid |
| Malware Sentinel — critical-file watcher | ✓ | Paid | ✓ | Paid |
| WP-core hash scan vs WordPress.org checksums | ✓ | Paid | ✓ | ✗ |
| Curated network firewall rules (auto-deploy) | ✓ | ✗ | ✗ | ✗ |
| AI-validated rule canary rollout (10% → 100%) | ✓ | ✗ | ✗ | ✗ |
| Contribution rewards (1mo upgrade if rule promoted) | ✓ | ✗ | ✗ | ✗ |
| Per-rule match telemetry across the network | ✓ | ✗ | ✗ | ✗ |
| Cron profiler (per-hook timing) | ✓ | ✗ | ✗ | ✗ |
| Performance budget alerts (req/cron/query/mem) | ✓ | ✗ | ✗ | ✗ |
| X-Shield-Block structured response headers | ✓ | ✗ | ✗ | ✗ |
| Honeypot endpoints (opt-in) | ✓ | ✗ | ✗ | ✗ |
| Managed-host fingerprint (WPEngine/Kinsta/...) | ✓ | ✗ | ✗ | ✗ |
| CVE auto-rules pushed when stack matches | ✓ | Partial | Paid | ✗ |
| Geo-enriched email alerts | ✓ | ✗ | ✗ | ✗ |
| Daily digest email mode | ✓ | ✗ | ✗ | ✗ |
| Varnish/CDN-aware responses | ✓ | Partial | ✓ | ✗ |
| Plugin size | ~1 MB | ~25 MB | ~8 MB | ~12 MB |
| Single-site price | $108/y | $119/y | $199/y | $99/y |
A complete suite for WordPress: security, analytics, and compliance — all under one roof.
Behavioral firewall with 16 signals + collective cross-site threat intelligence.
shield.syswp.proVisit-level analytics + AI bot detection (Googlebot, ChatGPT, Claude, etc.).
radar.syswp.com.br →LGPD/GDPR compliance audit for your site's privacy policy and cookies.
auditto.syswp.com.br →A look at what's already shipped, what's in flight, and what's next. We ship every weekend — these dates are real, not aspirational.
Network rules with AI-validated canary deploy. Cron profiler. Performance budget alerts. X-Shield-Block structured headers. Managed-host fingerprint. Honeypot endpoints. 4 plugin releases this weekend alone.
Single-click site health PDF combining vulnerability scan + traffic patterns + slow queries + PHP errors + bot signals + theme code smells + custom rule suggestions based on YOUR traffic. Goes beyond security — operational diagnosis.
Pattern scan for obfuscated code (eval/base64_decode/gzinflate webshells) on Layer-2 flagged files. Network signature reputation: when 5+ Shield sites flag the same file SHA, AI auto-curates it as a known-bad. Pro+ feature.
Confirmed-bad files quarantined automatically (chmod 600, moved out of webroot). Monthly compliance PDF for client reporting + post-incident chain-of-custody. Agency tier.
Same firewall + threat intel + observability for Drupal, Laravel, Next.js, edge runtimes. The behavioral signals don't care what stack runs the request — only WordPress signals (XML-RPC, wp-login) need stack-specific tuning.
We ship every weekend. Releases since April 2026: 0.22.0 → 0.27.2. The "in flight" lane usually clears in 1–2 weeks. Subscribe to the changelog for release-by-release detail.
Lock in 50% off your subscription for life as one of our first 49 early adopters. Discount applies to every renewal — no expiry, no fine print. 48 seats remaining.
Use code at checkout: Shield50
Free plan is fully functional. Paid plans add the threat-intel network and multi-site management.
3 site|s
Forever · no card required
3 site|s
Billed monthly · cancel anytime
Billed yearly · $95
15 site|s
Billed monthly · cancel anytime
Billed yearly · $411
30 site|s
Billed monthly · cancel anytime
Billed yearly · $728
Short, honest answers.
No. Known-clean visitors (score under 20 in the last 60 seconds) skip every detection layer except rate limiting. Typical overhead per page load is under 1 millisecond. We layer wp_cache + transient + options so most checks never touch the database.
You need a free SaaS account at shield.syswp.pro — Shield is the WordPress client for the SysWP threat-intelligence network, and the network only works when sites are connected. Setup takes ~30 seconds, no credit card needed. The free plan includes the full detection engine (16 signals, escalation, rate limiting, attack mode), the cross-site network consensus, vulnerability digest, and dashboard. Premium adds multi-site management, longer log retention, and richer analytics.
Once connected, the plugin caches the license, blocklist, and threat feed locally. Brief outages are absorbed without any visible degradation. After 24h offline you get an info note in the admin; after 7 days a more prominent warning. Cached rules keep enforcing the whole time. The plugin only refuses to start protection on an install that has NEVER successfully connected — by design, because that means it has no rules to fall back on.
Yes — that's how the cross-site network works. We send: site URL, WordPress + PHP + plugin versions, aggregate traffic counts, the plugin/theme list (matched against Wordfence vulnerabilities), and per-attack metadata (attacker IP, bot signals, attempted path, country code). We never send: post content, user accounts, passwords, customer PII, or visitor IPs. Full disclosure list at shield.syswp.pro/legal/privacy and inside the plugin readme.txt under "External Services".
Yes. Block and challenge responses include Surrogate-Control, CDN-Cache-Control, X-Accel-Expires headers so Varnish (WP Engine), nginx, Cloudflare, Fastly, etc. don't cache them. We auto-detect Cloudflare and use CF-Connecting-IP for accurate IP attribution.
Wordfence is bigger (~25 MB vs our 1 MB) and more battle-tested but its threat intel is one-way (theirs to you, not the other way). Sucuri is excellent but expensive ($199+/year) and 100% SaaS — your site can't defend itself if their CDN is unreachable. Shield is a native-WordPress plugin connected to a network: enforcement runs ON your server (not at an edge proxy), the network is collective (every site contributes), and cached rules keep working during SaaS hiccups. The free plan has the same core engine as paid.
Every public request is classified into one of six buckets: Humans (real visitors), Crawlers (Googlebot/Bingbot/FB — FCrDNS-verified), AI scrapers (GPTBot, ClaudeBot, CCBot…), SysWP (our own infrastructure scanners), Bots (throttled scrapers), and Attacks (blocked). The donut shows last-24h percentages with an hourly stacked chart underneath. Internal traffic (wp-cron, Gutenberg AJAX, your own logged-in admin polling) is excluded so the percentages reflect what actual visitors are doing.
It depends — and that's why we split them into THREE independent toggles instead of giving you one all-or-nothing switch: • Training crawlers (GPTBot, ClaudeBot, CCBot, Bytespider…): scrape your content to train future LLMs with zero direct return for you. Most publishers block these. • Search/answer crawlers (OAI-SearchBot, PerplexityBot, Amazonbot, YouBot): index your site so AI can cite it in real-time answers. This is the modern equivalent of SEO — most sites should leave these ON. • User-initiated fetches (ChatGPT-User, Perplexity-User, Claude-Web): triggered when a real person pastes your URL into ChatGPT or Perplexity. Blocking these blocks real users — almost never a good idea. Defaults: ALL OFF (let through with rate-limit). The Bot Management tab shows 24h hit counts per family so you decide based on your actual traffic.
When we eventually run our own probes against your site (sitemap validation, SEO checks, uptime monitoring), they identify themselves with UAs like "SysWP-Scanner" / "SysWP-Sitemap" — so when you audit your access logs, you can immediately tell those apart from a real attacker. The architecture is wired in 0.13.0; the SysWP slice will stay at 0% until our scanner actually goes live in your network. No false positives by design.
Network rules are SaaS-curated firewall rules (validated by AI red-team + sandbox replay before they ship anywhere) that get distributed to Starter+ sites. They're scoped to: (1) blocking known attack patterns observed across the network, (2) CVE auto-rules when your installed plugin/theme matches an open vulnerability. You can disable network rules entirely in Settings → Network feeds. Each pushed rule is visibly tagged "🛡 SysWP · Global" in your Rules tab — full transparency, no hidden enforcement. The canary rollout means new rules only reach 10% of sites for the first 24h — if anything misbehaves, we catch it BEFORE it goes to your site.
Your plugin automatically ships your local rules to our SaaS inbox (just the rule definition — no traffic data, no PII). We deduplicate by content hash: if 47 users wrote the same anti-spam rule, we see ONE inbox item with a 47× badge. If the superadmin promotes your rule network-wide, you automatically get 1 month of higher tier free as a thank-you (rate-limited to 1 promotion per quarter to prevent gaming). The promoted rule appears as "🛡 SysWP · Global" on every Starter+ site in the network. It's optional — turn off the contribution heartbeat field if you'd rather keep your rules private. But the flywheel works: every Shield site makes every other Shield site stronger.
A 60-second cron event IS a security signal — it could be a backdoor running in the background. A 30-second response time IS a security signal — it could be a denial-of-service attempt or a slow exploit. The same IP triggering 3 slow requests in 5 minutes IS a security signal — it triggers our slow_request_burst bot detector. Most security plugins are blind to performance. Shield treats them as one problem because attackers exploit them as one. You can still run New Relic / Datadog for deep APM — Shield's perf observability is for the security pipeline, not full-stack profiling. Net effect: customers who don't pay for APM still see slow query / slow cron / memory peak alerts in their Shield dashboard, with the same alert channel as security events.
Install the plugin in under 60 seconds. Connect for premium features whenever you're ready.
