6,000+
Protected servers in network
Enterprise Security.
Included on Every Plan.
Two independent layers of protection working together to keep your WordPress sites safe from every direction.
BitNinja includedPhantomguard WordPress CDN & SecurityDaily backups, free SSL
14.2M
Malicious requests blocked monthly
2 layers
Independent security systems
2,847
Active virtual CVE patches
0
Customer sites compromised
Architecture
How Our Two-Layer
How Our Two-Layer
Security Works
Most hosts offer one layer of protection or charge extra for security add-ons. Forge Web Services includes two completely independent security systems on every plan, at every price point.
Internet, Incoming Traffic
Brute force, malware, scrapers, zero-days, scanners
BitNinja Server Security
IP reputation, WAF, brute force blocking, port honeypots
Phantomguard WordPress CDN & Security
Malware scanning, firewall, global content delivery
Your WordPress Site
Receives only clean, legitimate traffic. Runs faster. Stays online.
LIVE
threat activity across the fleet, last hour
14,247
Blocked
328
Challenged
99.7%
Pass-through rate
14:22:18
BN
POST /wp-login.php from 192.0.2.41, 47 attempts in 5m
BLOCKED
14:22:14
PG
GET /?author=1, user enumeration probe
BLOCKED
14:22:09
BN
GET /xmlrpc.php from 203.0.113.7, botnet scanner
BLOCKED
14:21:58
PG
POST /admin-ajax.php, SQLi pattern, plugin CVE
BLOCKED
14:21:42
BN
GET /.env from 198.51.100.22, credentials probe
BLOCKED
14:21:35
PG
POST /wp-json/wp/v2/users, missing nonce
CHALLENGED
14:21:18
BN
GET /admin.php from 192.0.2.88, fingerprinting
BLOCKED
14:21:02
PG
POST /upload.php, file extension mismatch
BLOCKED
14:20:51
BN
SSH from 198.51.100.103, 19 failed auths in 30s
BLOCKED
14:20:33
PG
GET /wp-config.php~, backup file probe
BLOCKED
14:20:14
BN
Port scan from 203.0.113.99, 38 ports in 12s
BLOCKED
14:19:58
PG
POST /wp-login.php, distributed brute force
CHALLENGED
14:22:18
BN
POST /wp-login.php from 192.0.2.41, 47 attempts in 5m
BLOCKED
14:22:14
PG
GET /?author=1, user enumeration probe
BLOCKED
14:22:09
BN
GET /xmlrpc.php from 203.0.113.7, botnet scanner
BLOCKED
14:21:58
PG
POST /admin-ajax.php, SQLi pattern, plugin CVE
BLOCKED
14:21:42
BN
GET /.env from 198.51.100.22, credentials probe
BLOCKED
14:21:35
PG
POST /wp-json/wp/v2/users, missing nonce
CHALLENGED
14:21:18
BN
GET /admin.php from 192.0.2.88, fingerprinting
BLOCKED
14:21:02
PG
POST /upload.php, file extension mismatch
BLOCKED
14:20:51
BN
SSH from 198.51.100.103, 19 failed auths in 30s
BLOCKED
14:20:33
PG
GET /wp-config.php~, backup file probe
BLOCKED
14:20:14
BN
Port scan from 203.0.113.99, 38 ports in 12s
BLOCKED
14:19:58
PG
POST /wp-login.php, distributed brute force
CHALLENGED
BitNinja operates at the server level, monitoring and filtering every connection before it reaches WordPress. It uses a global sensor network of 6,000+ protected servers to identify and block known attackers in real time, defending against roughly 98% of all cyberattack types.
9M / day
Attacks defended across fleet
98%
Of cyberattack types covered
What it blocks
Brute force attacks
SQL injection
Cross-site scripting (XSS)
Remote code execution
Port scanning
DDoS attempts (L4 to L7)
Malicious bots and botnets
Spam sources
IP reputation threats
Malware uploads
Backdoor access attempts
Data leakage probes
Key features
Real-time IP reputation database
Web Application Firewall (WAF)
OWASP Top 10 threat protection
Brute force detection & auto-block
Port and web honeypots
Log analysis with distributed intel
Outgoing spam filter and traffic monitor
DDoS auto-detection (L4 to L7)
Captcha challenge: HTTP, HTTPS, SMTP, FTP
Real-time malware detection & removal
Block access to backdoor files
Country-level IP block/allow lists
CMS-specific WAF rules for WordPress
Data leakage & illegal access prevention
Botnet attack blocking
9M attacks defended per day across network
Operating at the WordPress application level, Phantomguard protects against WordPress-specific threats and delivers your site faster worldwide through a Cloud WAF and global CDN. It works alongside BitNinja for a true two-layer defence.
What it covers
Malware scanning & automatic removal
WordPress login protection
File integrity monitoring
Plugin vulnerability detection
Global content delivery network
Edge-level DDoS mitigation
WordPress core hardening
PHP execution block in uploads
Quarantine for malicious files
Key features
Cloud WAF filtering threats at the edge
Automatic malware removal
DNS and CDN management
Hardening presets for core, login, files
Block PHP execution in /uploads
Extended hardening rules for WordPress
Plugin vulnerability virtual patching
Traffic analytics & security logging
Login protection & brute force prevention
File integrity monitoring
Quarantine for malicious files
Works alongside server-level BitNinja
ALWAYS WATCHING
Proactive monitoring
Proactive monitoring
and fixing. Included.
We do not wait for your site to break before we act. Every server is monitored 24/7, and when something looks off, our engineers investigate, patch, and resolve it. Most issues are fixed before you ever notice.
- 24/7 uptime monitoring with 30-second checks from multiple regions
- Automatic incident response when CPU, memory, or response time spike
- Plugin CVE patching applied within hours of disclosure, no waiting on you
- Daily security scans with malware quarantine and engineer follow-up
- Free fixes included for hosting-side issues, never billed extra
Server & uptime monitoring
24/7
Health-check interval, multi-region
30s
Patches applied after CVE disclosure
< 4 h
Engineer fixes, never a separate bill
Included
Layer 3, the server itself
Server Management Security
Built into the dedicated server management panel on every server. The boring, essential layer that hardens the box your site runs on.
Firewall & access control
- UFW Firewall with custom rules from the panel
- Isolated application environments per site
- Fail2Ban with auto-block of malicious IPs
- 8G Firewall per WordPress application
- IP whitelisting for control panel access
Authentication & SSH hardening
- Change SSH port from default 22
- Enable or disable root login per server
- Manage SSH and SFTP credentials per user
- Two-factor authentication for panel login
- Basic authentication per application
Updates & certificates
- Automatic security updates on a schedule
- Free SSL certificates on every site
- Auto-renewing certificates, never expire
- Wildcard certificate support
- Daily backups with 7-day retention
Always-on baseline
The four protections every site gets, day one
8G Firewall
Blocks known bad bots, scanners, and malicious request patterns before they reach your application layer.
Fail2Ban
Automatically bans IP addresses after repeated failed login attempts. Pre-configured for SSH and WordPress login pages.
SSL on Every Site
Free SSL certificates on every domain, auto-renewed. Encrypted connections for all visitors.
Daily Backups
Full automated backups every 24 hours. Restore any backup in minutes from your control panel.
How We Compare
How We Compare on Security
What you actually get on every plan, side by side with the typical hosts.
| Feature | Shared hosts | Other Managed Hosts | Forge Web Services |
|---|---|---|---|
| Dedicated server per client | sometimes | ||
| BitNinja Server Security | |||
| WordPress-level security and CDN | add-on | ||
| Global CDN included | add-on | ||
| Automatic malware removal | sometimes | ||
| Fail2Ban pre-configured | |||
| 8G Firewall | |||
| Daily backups | weekly | ||
| SSL included free |
Security Included.
No Extra Charge.
Every Forge Web Services plan includes both security layers from day one. No security add-ons to purchase. No upsells. Just solid protection on every site, every month.