Segurium is WordPress security without the bloat. Every hardening surface a site needs to survive the open internet — login protection, geo and IP gating, security headers, integrity verification, malware detection — ships in a single focused plugin. No ad walls, no background processes that chew through your shared-hosting CPU budget.
Behind the simple UI is a high-tech engine. Segurium hashes your files on the server and checks each SHA-256 against a continuously-updated, machine-learning-curated cloud verdict database — so most files are classified by hash alone, the scan is fast, the plugin stays small, and fresh threats are recognised the moment the classifier picks them up. When a file's hash is not yet known to the cloud, Segurium uploads that file's bytes for deeper analysis so you don't get stuck with an unresolved verdict. We do not keep your files in the cloud. Nothing — not a hash, not a byte — is sent before you accept the service disclosure.
What you get on every install
Every feature below ships in the plugin and runs on every install — Free and Pro alike:
- Two-factor authentication — TOTP apps, email fallback, backup codes, trusted devices, per-role enforcement and grace period.
- Brute-force protection — Multi-tier lockouts on wp-login.php and XML-RPC, honeypot field, manual IP unlock, optional hCaptcha on login.
- Geo-blocking — Block login or admin traffic by country using a local binary database (auto-updated), with a confirm-or-revert safety net so you can't lock yourself out.
- Firewall — Allow / deny IP rules, CIDR ranges and country-level filters with a single source-of-truth IP list shared across login, admin and request gating.
- Security headers — Security HTTP response headers, cookie hardening (SameSite/Secure/HttpOnly), and five one-click preset modes.
- Information Shield — Toggles that hide WordPress version fingerprints, discovery endpoints, asset
?ver= strings, and XML-RPC when you don't use them.
- Self-Check security grade — Checks roll up into an A+ to F grade, each with one-click Fix buttons and cross-referenced with external scanners.
- Migration importer — Import your existing settings from Wordfence, All-In-One Security, Sucuri Security and Solid Security so you don't lose your hardening when you switch.
- Disaster recovery — Local encrypted backups can be extracted with a tiny PHP one-liner, even if Segurium is uninstalled.
- Malware scanner — Full filesystem scan, and a unified "Threats" view across every scan.
- Real-time and upload scanning — New and modified files are checked automatically; infected uploads are blocked before they land on disk.
- Scheduled scans — Off / daily / weekly with a locale-aware time picker. A scheduled malware scan automatically chains an integrity scan behind it on the same cadence.
- Integrity scan — Verify WordPress core, plugins and themes against upstream manifests. Spot tampered, delisted or abandoned components at a glance.
- Bulk "Fix All" remediation — Queue every detected threat for cleanup in one click on both malware and integrity panels.
- Auto-fix on detection — When real-time scanning flags a file, Segurium can clean it without waiting for an admin to open the dashboard.
- Cleanup with encrypted, reversible backups — Before anything is cleaned, the original file is encrypted (AES-256-GCM) and stored locally. Backups are retained for up to 30 days, subject to per-bucket count and size caps. "Show original" and "Restore" are one click away.
- Embedded support.
How the Pro service tier differs
Cleanups are performed by Segurium's cloud service and counted against a per-installation quota. The Free service tier covers up to
3 cleanups per rolling 30 days — enough for an occasional incident on a typical site. The Pro service tier raises that quota for sites that need higher cleanup volume (recurring infections, agency portfolios, hosts under sustained attack). The plugin code, the detection engines, and every feature listed above are identical on both tiers; the only difference is the cleanup-quota ceiling enforced server-side.
Privacy by default
- Scanning is opt-in. Until you explicitly accept the service disclosure on the plugin's admin page, Segurium doesn't contact the cloud and doesn't start scanning.
- Hash-first, body-on-miss. During a scan, files are checked by SHA-256 first. Only files whose hash is unknown to the cloud have their bytes uploaded for classification, so the volume of content actually leaving your server is small and bounded by what's new on disk.
- No telemetry on your visitors. Segurium looks at files and login attempts, not at the people who visit your site.
- You're in control of cleanup. Cleaning an infected file is always reliable, with backups.
Designed to stay lean
Segurium ships as a small PHP plugin with no bundled binaries, no vendored third-party scanners, and no hidden background daemons. The heavy lifting — classification, signature curation, integrity manifests — lives in our cloud service, so your WordPress install stays fast and your hosting bill stays flat.