Free + Pro

All-in-one security that won't lock you out of your own admin.

Login hardening, 2FA, file integrity, endpoint WAF, audit log. Every blocking feature has a documented rescue path so you cannot get stuck. Run new defaults in soft mode for 14 days, promote to enforce when you trust them.

Download free version
Lifetime updates Email support 14-day refund
example.com/wp-admin
MossHill Security preview
// Pro features

Cloud-driven defenses, advanced auth, and forensics - without the lockout risk.

Cloud-pushed WAF rules

Daily-updated firewall patterns from cross-site attack telemetry, layered on top of free's bundled OWASP-style rule set. No same-day delay.

CVE detection

Match every installed plugin and theme against the live vulnerability feed. Get alerted the moment a CVE lands that affects your stack, with the fixed version and severity inline.

Magic-link login & per-role MFA

Passwordless login via emailed one-time link. Force 2FA enrollment for specific roles (e.g. administrators, editors) before they can use wp-admin.

Lockdown & forensics

One-click emergency lockdown kills sessions, blocks file writes, and shows a maintenance page. Tamper-evident audit log + one-click forensic ZIP for incident response.

IP reputation & country / ASN block

Cloud-fed list of known-bad IPs is checked on every request. Block by country (ISO-3166-1) or autonomous system, with an allowlist that never gets your own session caught up.

Alerts where you actually look

Slack, Discord, Microsoft Teams, PagerDuty (Events API v2), Twilio SMS, and a generic HMAC-signed webhook. Severity threshold per channel - no Slack spam from low-priority noise.

Live attack map

Real-time world map of where attacks are coming from. Free plots by country; Pro adds city-level accuracy, live polling, and animated attack trails.

Custom WAF rules + templates

Cloudflare-style rule editor with curated templates. Free ships 3 templates and a 1-rule cap. Pro unlocks 30+ templates, unlimited rules, geo / ASN / rate-limit conditions.

Scheduled lockdown

Restrict wp-admin to a recurring time window. Free supports one daily window; Pro adds per-weekday rules, multiple windows, and holiday overrides. Authenticated sessions always exempt.

Deep IP investigation

Click any attacker IP for WHOIS, reverse DNS, AbuseIPDB confidence score, Tor exit check, DNSBL listings, behavioral classification, and neighbour-subnet activity.

One-click abuse reports

Send a pre-filled abuse report to the offending IP's hosting provider. WHOIS contact, attack stats, and recent events auto-populated. Pro can batch and follow up.

// Deep dive

See what each major feature actually looks like.

Free vs Pro broken down per feature. Where free gives you a real working version, Pro extends it with cloud data and richer surfaces.

Live attack map

See exactly where attacks are coming from, as they happen.

Every blocked request and lockout is plotted on a world map, grouped by country and sized by attack volume. Pulsing dots draw your eye to the active hotspots. Click any pulse to jump straight into the IP detail page.

  • Free: country-level pins via bundled IP/country table, 1h / 24h / 7d windows, snapshot refresh.
  • Pro: city-level precision from licensed feed, 60-second live polling, animated attack trails, ASN/country breakouts.
/wp-admin · MossHill › Attack map
1,247
Attacks
328
Unique IPs
17
Countries
2m ago
Last attack
/wp-admin · MossHill › Custom rules › New rule
Start from a template
Block xmlrpc.php
URI path equals
Drop empty UA
User-agent empty
Allow cron-only IP
IP equals
Rule
Pro: geo
Then: Block
Test Save rule
Custom WAF rules

Cloudflare-style rules, without the Cloudflare price tag.

Build IF/THEN rules across IP, user-agent, URI, method, referer, and (Pro) country / ASN / rate-limit. Start from a curated template or write from scratch. Every rule runs before the bundled WAF, so an Allow rule can short-circuit false positives.

  • Free: 1-rule cap, 3 templates, full condition library for IP / URI / method / referer / UA.
  • Pro: unlimited rules, 30+ templates, geo + ASN + rate-limit + JS-challenge actions.
Rule tester

Test a rule against your last 10 real attacks before you save it.

Click "Test" on the rule editor and MossHill replays the most recent 10 blocked requests against your unsaved condition. Green border = would match. Grey = wouldn't. No more false-positive surprises after deploying a rule.

  • Free + Pro: tester works against any rule, draft or saved. Pro can also replay the last 1000 events.
/wp-admin · MossHill › Custom rules · Test results
Replay vs last 10 attacks
7 / 10 would match
91.218.114.4 POST /wp-login.php MATCH
185.234.219.18 POST /wp-login.php MATCH
8.8.8.8 GET /xmlrpc.php skip
194.5.81.122 POST /wp-login.php MATCH
66.249.66.1 GET /wp-admin/ skip
141.98.10.97 POST /wp-login.php MATCH
/wp-admin · MossHill › IP detail · 91.218.114.4
91.218.114.4
Russia · OOO Network of Data-Centers Selectel
Brute-force bot
AbuseIPDB
94% confidence · 312 reports
DNSBL listings
3 Spamhaus, Barracuda, SORBS
Reverse DNS
no PTR record
Tor exit
Not a Tor exit node
427
Failed logins / 7d
89
WAF blocks
5
/24 neighbours
Deep IP investigation

Everything we can learn about an attacker, in one screen.

Click any IP and MossHill pulls WHOIS, reverse DNS, AbuseIPDB confidence, Tor exit status, DNSBL listings (Spamhaus, Barracuda, SORBS), datacenter detection, behavioral classification, and /24 subnet neighbours. One-click block, abuse-report, or unlock right from the same page.

  • Free: WHOIS, reverse DNS, behavioral classifier, /24 neighbours, opt-in DNSBL / Tor / AbuseIPDB (BYO key).
  • Pro: country + ASN org + city precision from the cloud feed, no API keys required.
Scheduled lockdown

Close wp-admin after hours. Open it again at 9am.

Drastically reduce your attack surface by restricting wp-admin and wp-login.php to the hours your team is actually working. The site front-end stays live; only the admin doors close. Authenticated admin sessions and the activator IP are always exempt, and a 7-day soft-mode period logs would-have-blocked requests so you can verify the schedule is sane before promoting to enforce.

  • Free: one daily window (cross-midnight supported), 7-day soft-mode period, audit log of attempted access.
  • Pro: multiple windows, per-weekday rules ("block weekends only"), holiday overrides.
/wp-admin · MossHill › Lockouts
Scheduled lockdown
Restrict access to wp-login.php and wp-admin during a recurring time window.
⚑ Right now: would be locked (soft mode).
Soft-mode period ends in 6 days — until then, the schedule logs but does not block.
Start time
End time
End is before start, so the window crosses midnight (22:00 → 06:00 next day).
Pro Per-weekday rules + holiday overrides
Learn more →
/wp-admin · MossHill › Plugins & Themes
14
Low risk
3
Medium
1
High
2
Abandoned
Plugin Last updated Risk
WooCommerce 3 days ago Low
Yoast SEO 1 week ago Low
Contact Form Wizard 8 months ago Medium
Old Gallery Lite 3 years ago Abandoned
Cheap-SEO-Booster CVE-2025-1234 2 years ago High
Plugin & theme risk scoring

Know which of your plugins is the next breach waiting to happen.

Every installed plugin and theme gets a risk tier (Low / Medium / High / Abandoned / Unknown) based on WP.org freshness, version age, "tested up to" status, install size, and active install count. Indicators show up in the official plugins screen too — no need to leave the page you're already on.

  • Free: heuristics-based risk tiers via WP.org metadata, 24h cache, plugin-row badges.
  • Pro: CVE detection against live vulnerability feed, severity scoring, "this plugin is part of an active campaign" alerts.
Hosting abuse report

Send a polished abuse report to the offending IP's hosting provider — in one click.

MossHill runs a raw WHOIS lookup (port 43, no API key) against the attacking IP, extracts the abuse contact email, and pre-fills a complete report with your site URL, attack stats, and the most recent events from your audit log. Edit if you want; send when ready. Every send is logged.

  • Free: WHOIS lookup, auto-populated subject + body, sends via your site's wp_mail.
  • Pro: bulk reports across multiple IPs, response tracking, custom templates per provider.
/wp-admin · MossHill › Report abuse · 91.218.114.4
WHOIS · RIPE
Abuse contact: [email protected]
Organisation: OOO Network of Data-Centers Selectel
Network: SELECTEL-NET-RU
To
Subject
Body
Hello,

The IP address 91.218.114.4 has launched 427 failed login attempts against my WordPress site at https://example.com over the past 7 days...

Most recent events (UTC):
  2026-05-11 04:12:33 auth.login_failed (admin)
  2026-05-11 04:12:35 auth.login_failed (administrator)
...
cloud-feeds.codecabin.io · status
WAF rules
Last updated: 14 minutes ago · 487 patterns
Fresh
IP reputation
Last updated: 6 minutes ago · 312,847 IPs
Fresh
CVE feed
Last updated: 22 minutes ago · 18,304 CVEs · 4 affect your install
4 match
GeoIP database
Last updated: 2 days ago · city precision
Fresh
Malware signatures
Last updated: 3 hours ago · 8,924 sigs
Fresh
Cloud-driven defenses · Pro only

Five live feeds, one license. No same-day delay.

Pro gets five separately-cached cloud feeds, refreshed via WP-Cron: daily-updated WAF patterns, IP reputation list (300k+ known-bad IPs), CVE detection against your installed stack, city-precision GeoIP, and malware signatures (kept out of free because YARA-style patterns trip Plugin Check and AV scanners).

  • Each feed runs out-of-process; failures are silent and your site keeps working on stale data.
  • License key is checked on the feed endpoint, not in your request path. Zero added latency.
Modern auth · Pro only

Magic-link login. Per-role MFA enforcement. Trusted devices.

Skip the password — let your team sign in with a one-time emailed link that expires in 15 minutes. Force 2FA enrollment for specific roles (admin, editor) before they can use wp-admin. Remember trusted devices so the second factor isn't asked on every login from the same laptop.

  • Magic-link rescue (free) is a separate, ops-only flow — not the daily-login experience.
  • Trusted devices: 30-day cookie, revocable from your profile screen. Per-device labels.
example.com/wp-login.php
Sign in to example.com
— or —
2FA required for admins
slack · #site-alerts
MS
MossHill APP 4:12 AM
🛡 4 active high-severity events on example.com
427 failed logins from 91.218.114.4 · Russia
Classified as: brute-force bot · AbuseIPDB 94%
View IP detail Block now Report abuse
💬
Slack
🎮
Discord
Teams
📟
PagerDuty
📱
SMS
Notifications · Pro only

Get alerted where your team actually pays attention.

Route security events to Slack, Discord, Microsoft Teams, PagerDuty (Events API v2), Twilio SMS, or a generic HMAC-signed webhook. Set severity thresholds per channel so low-priority noise doesn't reach pager, but the 3am brute-force does. Each alert has inline action buttons — block, report abuse, or view detail without leaving the channel.

  • Webhook signatures use HMAC-SHA256 so you can verify origin.
  • Per-channel rate limiting prevents alert storms on noisy incidents.
// Free vs Pro

Compare what's in each version.

Feature Free Pro
Login rate-limiting + lockouts
Honeypot + math captcha on login form
Strong password policy (Pwned Passwords)
Login URL rename
TOTP two-factor authentication
File integrity monitoring (chunked scan)
Endpoint WAF (28+ bundled OWASP-style rules)
Audit log + health dashboard
10 documented lockout-rescue paths
Custom WAF rules (Cloudflare-style editor) 1 rule Unlimited
WAF rule templates 3 30+
Test rules against last 10 attacks
Scheduled lockdown (recurring time windows) 1 daily Per-day + holidays
Plugins & themes risk scoring
Live attack map Country City + live
One-click hosting-abuse reports (WHOIS-based)
Deep IP investigation (WHOIS / DNSBL / Tor)
AbuseIPDB integration BYO key Built-in
Cloud-pushed WAF rules (daily updates) -
CVE detection for installed plugins / themes -
IP reputation feed -
Country & ASN blocking (with GeoIP) -
Cloud malware signature scanner -
Magic-link passwordless login -
Per-role MFA enforcement -
Trusted devices -
Emergency lockdown + maintenance page -
Tamper-evident audit log (hash-chained) -
SIEM streaming + forensic export bundle -
Slack / Discord / Teams / PagerDuty / SMS -
White-label branding -
Email support -
// Pricing

One-time payment. No subscriptions.

Pick the license that fits. Every tier includes all Pro features and email support.

Most popular

3 Sites

Personal projects & small businesses

$79
one-time · lifetime updates
Use on up to 3 websites
All Pro features
Email support

10 Sites

Freelancers & growing agencies

$149
one-time · lifetime updates
Use on up to 10 websites
All Pro features
Email support

Unlimited Sites

Large agencies & unlimited scale

$299
one-time · lifetime updates
Use on unlimited websites
All Pro features
Email support
// FAQ

Frequently asked questions.

What if MossHill Security locks me out of my own site?
It won't, by design. The activator IP is auto-allowlisted on activation. Authenticated sessions are exempt from every block decision. There are 10 documented rescue paths, including a kill-switch file (drop mosshill-disable.txt into wp-content) and an email-driven magic-link rescue that bypasses every blocking feature for 30 minutes. New blocking defaults run in soft / log-only mode for 14 days before they enforce.
Will MossHill Security slow down my site?
No. Scans are chunked across WP-Cron ticks with a persistent cursor - never set_time_limit(0) in a request path. The WAF inspects requests with a small bundled regex set; cloud rules only run if you have Pro. The audit log writes are append-only and lazy-pruned. MossHill Security is built to be server-light from day one.
Does MossHill Security play nicely with Wordfence, Sucuri, Solid Security, etc.?
Yes. On activation MossHill Security detects competing security plugins and softens overlapping defaults instead of double-binding (e.g. it won't add a second login limiter if Wordfence is already running). The compatibility matrix is shown in the dashboard so you can pick which plugin owns which feature.
What's actually in the free version vs Pro?
Free is fully functional standalone - login hardening, 2FA, file integrity monitoring, endpoint WAF (28+ bundled OWASP-style rules), audit log, health dashboard, and all 10 rescue paths. Pro adds cloud-driven defenses (WAF rule updates, IP reputation, GeoIP, country/ASN blocks, cloud malware sigs), advanced auth (magic-link, per-role MFA, trusted devices), forensics (tamper-evident audit log, SIEM streaming, forensic export ZIP), and notifications (Slack/Discord/Teams/PagerDuty/SMS). See the comparison table above.
Do you bundle malware signatures in the free plugin?
No, intentionally. YARA-style file content patterns trigger Plugin Check and AV false positives, so signatures are Pro-only and fetched from the cloud at runtime. WAF request patterns (regex against incoming requests) are bundled in free.
What's the difference between the free and Pro attack map?
Free uses a small bundled IP-to-country table (top RIR /8 allocations) and plots one pulse per country. Pro uses a city-precision GeoIP feed from our cloud, polls for new attacks every minute, and animates attack-origin trails. Both versions share the same UI, so upgrading just lights up extra data.
How does the rule tester not break my site if I make a mistake?
The tester replays your last 10 blocked requests against your draft rule WITHOUT saving it. You see green / grey indicators per request before clicking save. No traffic is rerouted, no real requests are blocked — it's a pure simulation against your existing audit log data.
Is this a subscription?
No. One-time payment for lifetime updates and email support, for the number of sites in your license tier.
Do you offer refunds?
Yes. If MossHill Security doesn't work for you, request a refund within 14 days no questions asked.

Looking for documentation?

Get started quickly with our comprehensive guides and tutorials.

View Documentation