Imunify360 now includes WordPress WAF, a new security component that automatically blocks exploits targeting known vulnerabilities in WordPress plugins and themes.
Vulnerable websites are protected through virtual patching. When an attacker tries to exploit a vulnerability in a plugin or theme your customer hasn't updated, WordPress WAF blocks the malicious request before it reaches the vulnerable code. The site stays protected without requiring an update.
WordPress WAF is free for all Imunify360 customers. It's delivered through the Imunify Security WordPress plugin, activates automatically, and requires no extra configuration.
WordPress plugins and themes are the most common entry point for attackers targeting WordPress sites. When a vulnerability is publicly disclosed, there's a gap before site owners actually apply the update. Sometimes it's days. Sometimes it's weeks. Sometimes the update never happens.
Attackers exploit that gap, and hosting providers absorb the fallout: malware infections to clean up, support tickets to handle, compromised accounts to recover, and customers who churn after their site gets hacked. The site owners who skip updates become your operational problem.
WordPress WAF solves this problem.
WordPress WAF inspects incoming HTTP requests and blocks those that match known exploit patterns for WordPress plugin and theme vulnerabilities. The vulnerable plugin or theme code remains in place but cannot be exploited. No forced updates, no broken functionality, no action required from the site owner.
WordPress WAF detects which plugins and themes are installed on each WordPress site and loads only the relevant rules. A site running five plugins receives rules for those five plugins, not the entire ruleset. This keeps the performance footprint minimal and reduces false positive risk.
Before launching WordPress WAF in blocking mode, we ran these rules in monitoring mode across more than 500,000 WordPress sites. We validated that rules work as intended and monitored extensively for false positives. WordPress WAF is now rolling out in active blocking mode for all customers.
The ruleset is managed by a dedicated team of security experts and is growing rapidly. It's already covering critical and new CVEs across the WordPress plugin and theme ecosystem from late 2025 and 2026, and we’re adding hundreds of new blocking rules every week.
Our security team works to deploy a new blocking rule within 24 hours of a vulnerability disclosure.
Site owners see their WordPress WAF protection directly in the Imunify Security plugin inside their WordPress admin dashboard. They can see which rules are triggered on their site and the details of the incidents.
Our team continuously monitors for false positives across the network and rolls out rule updates as needed. Site owners can also control which rules to keep active on their sites.
All Imunify360 customers are eligible. Enable the Imunify Security WordPress plugin on your servers, and WordPress WAF activates automatically for every WordPress site on the server. No extra cost. No configuration required.
Enable the Imunify Security WordPress plugin
Not yet running Imunify360? Start your free 14-day trial