SiteLock TrueShield Review

Overview

SiteLock's cloud, DNS-based web application firewall, historically branded TrueShield and now marketed simply as the SiteLock WAF, filters inbound traffic before it reaches your site. Originally built on Incapsula technology, it blocks the OWASP Top 10, including SQL injection and cross-site scripting, plus malicious bots and DDoS via machine learning and IP reputation.

The platform pairs the WAF with an integrated CDN across 44+ data centers, virtual patching, and a separate malware scanning and removal suite. A dedicated WordPress plugin is available, and setup is a single DNS change of about five minutes. SiteLock is sold directly and through hosting resellers such as HostGator, Bluehost, and Network Solutions.

It targets small businesses and shared-hosting owners wanting hands-off protection. Pricing runs three monthly tiers (Basic $19.99, Pro $29.99, Business $44.99), with roughly two months free on annual billing; the WAF starts at the Pro tier, not Basic, and a host's bundled price can differ from buying direct.

Ratings Breakdown

Ease of Use 4.2/5

Value for Money 3.0/5

Customer Support 3.0/5

Features 2.8/5

Key Features

TrueShield WAF

Cloud-based WAF providing OWASP Top 10 protection via DNS redirect.

Malware Scanning

Daily website scanning for malware, backdoors, and suspicious files.

Hosting Provider Integration

Available directly through many hosting control panels.

Pros & Cons

Pros

Easy setup
DNS-based deployment accessible to non-technical users.
Hosting provider availability
Available through many hosting providers' control panels.
All-in-one website security
Combines WAF with malware scanning and removal.

Cons

Basic WAF features
WAF capabilities are limited compared to enterprise solutions.
Mixed reputation
Some criticism for aggressive upselling through hosting partners.
Limited transparency
Less detailed documentation and threat intelligence sharing.

Pricing

Pricing model: Monthly subscription

Basic

From $19.99/month

Malware scanning and backup; does not include the WAF

Daily malware scanning
Automatic malware removal
Website backup

Pro

From $29.99/month

Adds the WAF and CDN

Everything in Basic
Web Application Firewall (WAF)
CDN acceleration
Bot and DDoS blocking

Business

From $44.99/month

Advanced WAF and compliance

Everything in Pro
Custom WAF rules
PCI firewall compliance reporting
Two-factor authentication

Our Verdict

SiteLock TrueShield provides basic WAF protection for small businesses and shared hosting environments. While easy to set up, it lacks the advanced features of dedicated WAF solutions.

Our verdict: Adequate for small sites needing basic protection, but consider Cloudflare's free tier as an alternative.

CVE Coverage

SiteLock TrueShield can detect and block attacks matching 105K+ known CVEs based on its supported rule sets.

13K+

Critical

25K+

High

44K+

Medium

1.7K+

Low

Coverage by Attack Type

Cross-Site Scripting (XSS) High

45K+ CVEs

SQL Injection High

19K+ CVEs

Improper Input Validation Medium

12K+ CVEs

Path Traversal High

9.1K+ CVEs

Code Injection Medium

6.5K+ CVEs

OS Command Injection High

5.9K+ CVEs

Unrestricted File Upload Medium

4.1K+ CVEs

Command Injection High

3.6K+ CVEs

Open Redirect Medium

1.5K+ CVEs

XML External Entity (XXE) High

1.2K+ CVEs

Latest Blockable CVEs

CVE	Description	Severity
CVE-2026-49294	Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. …	UNKNOWN
CVE-2026-20262	A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could …	MEDIUM
CVE-2026-9863	Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch …	UNKNOWN
CVE-2026-9862	Fortra's Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd …	UNKNOWN
CVE-2025-15659	Contributor Cross Site Scripting (XSS) in Elizaibots <= 1.0.2 versions.	UNKNOWN
CVE-2025-15658	Administrator Cross Site Scripting (XSS) in WP Emmet <= 0.3.4 versions.	UNKNOWN
CVE-2026-52704	Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice …	UNKNOWN
CVE-2019-25746	WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to …	HIGH
CVE-2018-25436	WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows …	CRITICAL
CVE-2016-20084	WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar …	HIGH

Browse all CVEs →

Frequently Asked Questions

Is SiteLock TrueShield a real WAF?

Yes. It is a genuine cloud-based web application firewall that filters traffic at the DNS layer and blocks the OWASP Top 10 attack classes, malicious bots, and DDoS attempts. SiteLock has increasingly dropped the "TrueShield" name in its current marketing and simply calls it the SiteLock WAF, but it is the same product. Historically the WAF was powered by Incapsula's technology.

How is SiteLock sold, and what does it cost?

SiteLock is sold both directly on sitelock.com and through many hosting providers (HostGator, Bluehost, Network Solutions, and resellers). Current direct pricing is three monthly tiers: Basic $19.99, Pro $29.99, and Business $44.99, with roughly two months free on annual billing. Prices bought through a host can differ, so compare the host's quote against SiteLock's direct pricing.

Does SiteLock work with WordPress?

Yes. SiteLock offers a dedicated WordPress plugin alongside its DNS-based WAF and scanning, and the help center has WordPress-specific setup guides. Because the WAF sits in front of the site via DNS, it protects WordPress without server-side installation; the plugin adds dashboard integration.

Is the WAF the same as SiteLock's malware scanning?

No. They are separate layers. Malware scanning (included from the entry Basic plan) inspects your site's files and database for infections and can remove them. The WAF (included from the Pro plan upward) is a preventive firewall that blocks malicious requests before they reach your site. A full security posture uses both, but on SiteLock the WAF requires at least the Pro tier.

How is SiteLock's WAF deployed?

It is a cloud, DNS-based deployment. You point your domain to SiteLock's network with a single DNS change; there is no software install, code change, or server access needed, and setup typically takes about five minutes. Traffic then routes through SiteLock's global network (44+ data centers) which also provides CDN acceleration.

Ready to try SiteLock TrueShield?

Visit the website to learn more or request a demo.

Visit Website View Pricing

Quick Info

Company: SiteLock, LLC (Sectigo)
Founded: 2008
Headquarters: Scottsdale, AZ, USA
Pricing Model: Monthly subscription
Last Reviewed: June 29, 2026

Best For

Small businesses on shared hosting, non-technical website owners

Not Ideal For

Enterprises, developers, organizations needing advanced WAF features

Supported Platforms

WordPress

Compliance

PCI DSS scanning

Your ad here

Reach engineers evaluating SiteLock TrueShield

Contextual placement on 1,000+ comparison and review pages

Learn about sponsorship →

Compare With...

View all comparisons →

Embed This Review

Add this badge to your site to show your WAFplanet rating.

Copy embed code:

<a href="https://wafplanet.com/waf/sitelock/" title="SiteLock TrueShield review on WAFplanet" rel="nofollow"><img src="https://wafplanet.com/static/badges/sitelock-rated.svg" alt="SiteLock TrueShield - Rated 3.0/5 on WAFplanet" width="240" height="44"></a>

More badge styles →