Unlike existing WordPress security plugins that bolt a WAF onto WordPress after it has bootstrapped, Fortify's MU-plugin sentinel intercepts requests at the earliest possible execution point. SQL injection, path traversal, and malicious payloads are blocked before they reach any WordPress code. Every request from every user on every endpoint is continuously verified through zero-trust scoring. Free tier on WordPress.org.
Fortify fills the gap no WordPress security plugin covers: MU-level WAF interception, zero-trust API shielding for custom REST endpoints, TOTP step-up authentication via AJT MFA, behavioural analytics with AI-powered anomaly detection, and a Glass-native dashboard, all in a single package.
Self-contained MU-plugin with zero dependencies. 8-stage pipeline: emergency lockdown, allowlist, blocklist, rate limiting, geo-blocking, bot detection, payload scanning, security headers. Fires before any plugin loads.
Every request scored 0-100 from session age, IP reputation, geographic consistency, behavioural baseline, request integrity, device fingerprint, and MFA status. Scores below threshold trigger challenges or blocks.
Per-endpoint rate limiting, request signing, schema validation for all AJT REST API endpoints. Protects Stripe Pro payment routes and MSP Hub portal endpoints with pre-built protection profiles.
Deep AJT MFA integration. When trust score drops, users see an inline TOTP modal, not a full-page redirect. Verify your code, original request replays transparently. No context loss.
Builds baselines for request volume, endpoint access, time-of-day, geographic patterns, error rates. Detects anomalies, impossible travel, credential stuffing, and password spray attacks.
SHA-256 hashes of all critical files. Detects modifications to WordPress core, AJT plugins, wp-config.php, MU-plugins, and uploads directory. Optional auto-restore for core files.
The engineering under the hood.
MaxMind GeoLite2 database. Deny list, allow list, admin-only geo-lock, API geo-lock modes. Per-endpoint country restrictions for payment routes.
Verified bot detection via rDNS, JavaScript proof-of-browser challenges, AI scraper control (GPTBot, CCBot, etc.), headless browser detection. 500+ known bad bot signatures.
File-based emergency bypasses that work when the database is unreachable and WordPress is broken. Create disable.flag via FTP and the sentinel passes everything through.
Email, Teams, and Glass Relay notifications for critical events. Daily security digest. Optional weekly PDF report via WeasyPrint.
12+ Robot AI tools for natural-language security management. "Show me today's blocked attacks", "Ban this IP range", "What's the threat level?" Glass dashboard with 7 tabs.
Free tier on WordPress.org with basic WAF rules, global rate limiting, brute force protection, and security headers. Genuinely useful security, not a demo.
Three layers of protection that complement each other. Server-level, reverse proxy, and application-level security working together.
Server-level protection. Imunify360 provides real-time malware scanning, proactive defence, patch management, and kernel-level intrusion detection. Plesk manages the hosting environment with automated SSL, firewall rules, and server hardening. This is the outermost layer that catches threats before they reach your web stack.
Network-level protection. Nginx sits in front of PHP and handles rate limiting zones, directory access blocks, PHP execution restrictions, and security headers at the server level. AJT MFA's Nginx Directives Generator auto-configures all of this for Plesk, including Fortify-specific rules for the WAF data directory and sentinel protection.
Application-level protection. Fortify's MU-plugin sentinel provides the deepest inspection layer: payload scanning with 50+ rules, zero-trust request scoring, behavioural analytics, API Shield for AJT endpoints, and TOTP step-up authentication via MFA. Requests that bypass Nginx are still caught here.
A request hits Imunify360 first (kernel-level). If it passes, Nginx applies rate limits and access blocks (server-level). If it passes, Fortify's MU-plugin sentinel scans the payload, checks the trust score, and enforces API Shield rules (application-level). MFA's Nginx Directives Generator ensures all three layers are configured correctly for the AJT stack. A blocked request at any layer never reaches the next one, saving CPU and reducing attack surface at every stage.
Every AJT plugin shares the same security model, UX system, and licensing infrastructure. They're designed as one architecture that ships as independent packages. Back to the full ecosystem →
I'm always interested in challenging WordPress architecture problems. If you need a plugin built properly, let's talk.