Does SiteLock Security – WP Hardening, Login Security & Malware Scans have any unpatched vulnerabilities?

No. All known vulnerabilities in SiteLock Security – WP Hardening, Login Security & Malware Scans have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is SiteLock Security – WP Hardening, Login Security & Malware Scans compatible with WordPress 6.9.4?

According to WordPress.org data, SiteLock Security – WP Hardening, Login Security & Malware Scans 5.1.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

SiteLock Security – WP Hardening, Login Security & Malware Scans Security & Risk Analysis

wordpress.org/plugins/sitelock

Free, lightweight WordPress security. Harden your site with login protection & 2FA, see Site Health clearly and run on-demand checks—setup in minutes.

1K active installs v5.1.0 PHP 8.0+ WP 3.8+ Updated Feb 26, 2026

A · Safe

CVEs total2

Unpatched0

Last CVEJan 25, 2026

Plugin page Download

Safety Verdict

Is SiteLock Security – WP Hardening, Login Security & Malware Scans Safe to Use in 2026?

Generally Safe

Score 98/100

SiteLock Security – WP Hardening, Login Security & Malware Scans has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 25, 2026Updated 1mo ago

Risk Assessment

The Sitelock plugin v5.1.0 demonstrates several positive security practices, including a high percentage of prepared SQL statements and properly escaped outputs, which significantly reduce the risk of common web vulnerabilities like SQL injection and XSS. The absence of critical or high-severity taint flows, along with the robust use of nonce and capability checks on its entry points, further indicates a generally secure codebase.

However, the presence of two medium-severity CVEs in its history, even though currently patched, raises a concern about the plugin's past security track record. The common vulnerability type being 'Missing Authorization' in past issues suggests a recurring pattern that warrants careful monitoring. Furthermore, the static analysis reveals the use of dangerous functions like 'exec' and 'unserialize', which, while not necessarily indicating an immediate vulnerability in this version, can be points of exploitation if not handled with extreme caution and proper sanitization within the plugin's logic.

In conclusion, while Sitelock v5.1.0 appears to have a good current security posture with strong defensive coding practices and no immediately exploitable flaws identified in the static analysis, its historical vulnerability patterns and the presence of dangerous functions necessitate continued vigilance. The plugin's strengths lie in its output escaping and prepared statements, but past authorization issues and the use of potentially risky functions are areas that should be closely monitored.

Key Concerns

Medium severity CVEs in history
Use of dangerous functions (exec, unserialize)

Vulnerabilities

SiteLock Security – WP Hardening, Login Security & Malware Scans Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2026-24532medium · 4.3Missing Authorization

SiteLock Security <= 5.0.2 - Missing Authorization

Jan 25, 2026 Patched in 5.0.3 (19d)

CVE-2025-62128medium · 4.3Missing Authorization

SiteLock Security <= 5.0.1 - Missing Authorization

Dec 30, 2025 Patched in 5.0.2 (7d)

Code Analysis

Analyzed Mar 16, 2026

SiteLock Security – WP Hardening, Login Security & Malware Scans Code Analysis

Dangerous Functions

Raw SQL Queries

21 prepared

Unescaped Output

1446 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

exec$apachectl = function_exists('exec') ? @exec('which apachectl 2>/dev/null') : '';admin\class-sitelock-hardening.php:1027

exec@exec('apachectl configtest 2>&1', $output, $return_code);admin\class-sitelock-hardening.php:1041

unserialize<td><?php echo esc_html(implode(', ', unserialize($sitelock_login_log->roles))); ?></td>admin\partials\activity-logs\sitelock_login_logs.php:43

SQL Query Safety

84% prepared25 total queries

Output Escaping

98% escaped1469 total outputs

Data Flows

All sanitized

Data Flow Analysis

10 flows

sitelock_complete_login_after_2fa (admin\class-sitelock-2fa.php:461)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

SiteLock Security – WP Hardening, Login Security & Malware Scans Attack Surface

Entry Points4

Unprotected0

AJAX Handlers 4

authwp_ajax_sitelock_disable_2faadmin\class-sitelock-2fa-settings.php:44

authwp_ajax_sitelock_verify_2faadmin\class-sitelock-2fa-settings.php:45

authwp_ajax_sitelock_scanadmin\class-sitelock-admin.php:153

authwp_ajax_sitelock_dismiss_noticeadmin\class-sitelock-block-admin-username.php:36

WordPress Hooks 81

actionadd_option_sitelock_2fa_settingsadmin\class-sitelock-2fa-settings.php:38

actionupdate_option_sitelock_2fa_settingsadmin\class-sitelock-2fa-settings.php:39

actionshow_user_profileadmin\class-sitelock-2fa-settings.php:42

actionedit_user_profileadmin\class-sitelock-2fa-settings.php:43

actionadmin_enqueue_scriptsadmin\class-sitelock-2fa-settings.php:50

actionlogin_form_sitelock-2faadmin\class-sitelock-2fa.php:29

actionwp_logoutadmin\class-sitelock-2fa.php:32

actioninitadmin\class-sitelock-admin-monitor.php:12

actionsitelock_check_admins_cronadmin\class-sitelock-admin-monitor.php:13

actionuser_registeradmin\class-sitelock-admin-monitor.php:15

actionset_user_roleadmin\class-sitelock-admin-monitor.php:16

actiondelete_useradmin\class-sitelock-admin-monitor.php:17

actionsave_postadmin\class-sitelock-admin.php:118

actionadmin_menuadmin\class-sitelock-admin.php:121

actionadmin_menuadmin\class-sitelock-admin.php:124

actionadmin_menuadmin\class-sitelock-admin.php:127

actionadmin_headadmin\class-sitelock-admin.php:130

actionadmin_initadmin\class-sitelock-admin.php:132

actionadmin_initadmin\class-sitelock-admin.php:134

actionadmin_initadmin\class-sitelock-admin.php:137

actionadmin_initadmin\class-sitelock-admin.php:140

actionadmin_post_sitelock_security_form_dataadmin\class-sitelock-admin.php:143

actionadmin_initadmin\class-sitelock-admin.php:146

actionadmin_menuadmin\class-sitelock-admin.php:149

actionadmin_enqueue_scriptsadmin\class-sitelock-admin.php:151

actionuser_profile_update_errorsadmin\class-sitelock-block-admin-username.php:16

filterpre_user_loginadmin\class-sitelock-block-admin-username.php:19

filterregistration_errorsadmin\class-sitelock-block-admin-username.php:22

actionadmin_noticesadmin\class-sitelock-block-admin-username.php:28

actionadmin_enqueue_scriptsadmin\class-sitelock-block-admin-username.php:46

actionlogin_formadmin\class-sitelock-force-logout.php:13

filterlogin_cookie_lifetimeadmin\class-sitelock-force-logout.php:16

actionwp_loginadmin\class-sitelock-force-logout.php:19

actioninitadmin\class-sitelock-force-logout.php:22

actionadmin_initadmin\class-sitelock-hardening.php:32

actionadd_option_sitelock_security_settingsadmin\class-sitelock-hardening.php:33

actionupdate_option_sitelock_security_settingsadmin\class-sitelock-hardening.php:34

actionadd_option_sitelock_security_settingsadmin\class-sitelock-hardening.php:35

actionadmin_noticesadmin\class-sitelock-hardening.php:37

actionupdate_option_sitelock_security_settingsadmin\class-sitelock-hardening.php:827

actionadd_option_sitelock_security_settingsadmin\class-sitelock-hardening.php:828

actionwp_login_failedadmin\class-sitelock-login-lockout.php:15

filterauthenticateadmin\class-sitelock-login-lockout.php:17

actionwp_loginadmin\class-sitelock-login-lockout.php:19

actionadmin_initadmin\class-sitelock-login-lockout.php:21

actionwp_loginadmin\class-sitelock-login-logger.php:15

actionwp_login_failedadmin\class-sitelock-login-logger.php:16

actionadmin_initadmin\class-sitelock-login-logger.php:17

actionsitelock_login_log_cleanup_cronadmin\class-sitelock-login-logger.php:18

actionuser_profile_update_errorsadmin\class-sitelock-password-strength.php:26

actionadmin_enqueue_scriptsadmin\class-sitelock-password-strength.php:29

actionvalidate_password_resetadmin\class-sitelock-password-strength.php:32

actionlogin_headadmin\class-sitelock-password-strength.php:37

actionadmin_headadmin\class-sitelock-password-strength.php:40

actionrest_api_initincludes\api\Helpers\class-sitelock-verification-service.php:27

actionplugins_loadedincludes\class-sitelock.php:162

actionadmin_enqueue_scriptsincludes\class-sitelock.php:176

actionadmin_enqueue_scriptsincludes\class-sitelock.php:177

actionwp_enqueue_scriptsincludes\class-sitelock.php:191

actionwp_enqueue_scriptsincludes\class-sitelock.php:192

actionplugins_loadedincludes\class-sitelock.php:249

actionplugins_loadedincludes\class-sitelock.php:255

actionplugins_loadedincludes\class-sitelock.php:259

filterwp_authenticate_usersitelock.php:177

actionadmin_noticessitelock.php:267

actionadmin_initsitelock.php:417

filterrest_authentication_errorssitelock.php:451

filteradmin_initsitelock.php:469

actionwp_logoutsitelock.php:480

filterwp_is_application_passwords_available_for_usersitelock.php:514

actionshow_user_profilesitelock.php:545

actionedit_user_profilesitelock.php:546

filterauthenticatesitelock.php:581

actionadmin_post_handle_auth_keysitelock.php:614

actionadmin_post_activate_email_keysitelock.php:617

actionwp_headsitelock.php:625

actionwp_footersitelock.php:632

actionadmin_noticessitelock.php:638

actionadmin_enqueue_scriptssitelock.php:765

filteradmin_footer_textsitelock.php:809

filterupdate_footersitelock.php:810

Scheduled Events 3

sitelock_check_admins_cron

sitelock_login_log_cleanup_cron

Maintenance & Trust

SiteLock Security – WP Hardening, Login Security & Malware Scans Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 26, 2026

PHP min version8.0

Downloads48K

Community Trust

Rating68/100

Number of ratings14

Active installs1K

Alternatives

SiteLock Security – WP Hardening, Login Security & Malware Scans Alternatives

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall

malcare-security

100

Get Bulletproof Security for your WordPress site. WordPress security plugin packed with comprehensive Firewall, malware scanner, cleaner & more.

200K No CVEs

Defender Security – Malware Scanner, Login Security & Firewall

defender-security

WordPress security plugin with malware scanner, IP blocking, audit logs, antivirus scans, firewall, 2FA, brute force login security, and more.

90K 7 CVEs

BulletProof Security

bulletproof-security

WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam...

30K 12 CVEs

Quttera ThreatSign – Web Malware Scanner for WordPress

quttera-web-malware-scanner

WordPress multi-level security scanner detecting malware, 0-day threats, brute-force attacks, bot attacks, and unauthorized admin changes.

10K 3 CVEs

Developer Profile

SiteLock Security – WP Hardening, Login Security & Malware Scans Developer Profile

SiteLock

1 plugin · 1K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

13 days

View full developer profile

Detection Fingerprints

How We Detect SiteLock Security – WP Hardening, Login Security & Malware Scans

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Script Paths

/wp-content/plugins/sitelock/assets/js/sitelock-frontend.js/wp-content/plugins/sitelock/assets/js/sitelock-admin-global.js/wp-content/plugins/sitelock/assets/js/sitelock-admin-dashboard.js/wp-content/plugins/sitelock/assets/js/sitelock-admin-settings.js/wp-content/plugins/sitelock/assets/js/sitelock-admin-scan-details.js/wp-content/plugins/sitelock/assets/js/sitelock-admin-security-checklist.js+3 more

Version Parameters

sitelock/assets/css/sitelock-frontend.css?ver=sitelock/assets/css/sitelock-admin-global.css?ver=sitelock/assets/css/sitelock-admin-dashboard.css?ver=sitelock/assets/css/sitelock-admin-settings.css?ver=sitelock/assets/css/sitelock-admin-scan-details.css?ver=sitelock/assets/css/sitelock-admin-security-checklist.css?ver=sitelock/assets/css/sitelock-admin-firewall.css?ver=sitelock/assets/css/sitelock-admin-waf-logs.css?ver=sitelock/assets/css/sitelock-admin-login-protection.css?ver=sitelock/assets/js/sitelock-frontend.js?ver=sitelock/assets/js/sitelock-admin-global.js?ver=sitelock/assets/js/sitelock-admin-dashboard.js?ver=sitelock/assets/js/sitelock-admin-settings.js?ver=sitelock/assets/js/sitelock-admin-scan-details.js?ver=sitelock/assets/js/sitelock-admin-security-checklist.js?ver=sitelock/assets/js/sitelock-admin-firewall.js?ver=sitelock/assets/js/sitelock-admin-waf-logs.js?ver=sitelock/assets/js/sitelock-admin-login-protection.js?ver=

HTML / DOM Fingerprints

CSS Classes

sitelock-containersitelock-admin-menu-itemsitelock-dashboard-widgetsitelock-settings-sectionsitelock-scan-details-tablesitelock-security-checklist-itemsitelock-firewall-rulesitelock-waf-log-entry+1 more

Data Attributes

data-sitelock-scan-iddata-sitelock-user-iddata-sitelock-rule-iddata-sitelock-log-id

JS Globals

SiteLockFrontendSiteLockAdminGlobalSiteLockAdminDashboardSiteLockAdminSettingsSiteLockAdminScanDetailsSiteLockAdminSecurityChecklist+3 more

REST Endpoints

/wp-json/sitelock/v1/scan-status/wp-json/sitelock/v1/settings/wp-json/sitelock/v1/firewall-rules/wp-json/sitelock/v1/waf-logs/wp-json/sitelock/v1/login-protection

FAQ