NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall
A true Web Application Firewall NinjaFirewall (WP Edition) is a true Web Application Firewall. Although it can be installed and configured just like a plugin, it is a stand-alone firewall that stands in front of WordPress. It allows any blog administrator to benefit from very advanced and powerful security features that usually aren’t available at the WordPress level, but only in security applications such as the Apache ModSecurity module or the PHP Suhosin extension. NinjaFirewall requires at least PHP 7.1, MySQLi extension and is only compatible with Unix-like OS (Linux, BSD). It is not compatible with Microsoft Windows. NinjaFirewall can hook, scan, sanitise or reject any HTTP/HTTPS request sent to a PHP script before it reaches WordPress or any of its plugins. All scripts located inside the blog installation directories and sub-directories will be protected, including those that aren’t part of the WordPress package. Even encoded PHP scripts, hackers shell scripts and backdoors will be filtered by NinjaFirewall. Powerful filtering engine NinjaFirewall includes the most powerful filtering engine available in a WordPress plugin. Its most important feature is its ability to normalize and transform data from incoming HTTP requests which allows it to detect Web Application Firewall evasion techniques and obfuscation tactics used by hackers, as well as to support and decode a large set of encodings. See our blog for a full description: An introduction to NinjaFirewall filtering engine. Fastest and most efficient brute-force attack protection for WordPress By processing incoming HTTP requests before your blog and any of its plugins, NinjaFirewall is the only plugin for WordPress able to protect it against very large brute-force attacks, including distributed attacks coming from several thousands of different IPs. See our benchmarks and stress-tests: Brute-force attack detection plugins comparison The protection applies to the wp-login.php script but can be extended to the xmlrpc.php one. The incident can also be written to the server AUTH log, which can be useful to the system administrator for monitoring purposes or banning IPs at the server level (e.g., Fail2ban). Real-time detection File Guard real-time detection is a totally unique feature provided by NinjaFirewall: it can detect, in real-time, any access to a PHP file that was recently modified or created, and alert you about this. If a hacker uploaded a shell script to your site (or injected a backdoor into an already existing file) and tried to directly access that file using his browser or a script, NinjaFirewall would hook the HTTP request and immediately detect that the file was recently modified or created. It would send you an alert with all details (script name, IP, request, date and time). File integrity monitoring File Check lets you perform file integrity monitoring by scanning your website hourly, twicedaily or daily. Any modification made to a file will be detected: file content, file permissions, file ownership, timestamp as well as file creation and deletion. Watch your website traffic in real time Live Log lets you watch your website traffic in real time. It displays connections in a format similar to the one used by the tail -f Unix command. Because it communicates directly with the firewall, i.e., without loading WordPress, Live Log is fast, lightweight and it will not affect your server load, even if you set its refresh rate to the lowest value. Event Notifications NinjaFirewall can alert you by email on specific events triggered within your blog. Some of those alerts are enabled by default and it is highly recommended to keep them enabled. It is not unusual for a hacker, after breaking into your WordPress admin console, to install or just to upload a backdoored plugin or theme in order to take full control of your website. NinjaFirewall can also attach a PHP backtrace to important notifications. Monitored events: Administrator login. Modification of any administrator account in the database. Plugins upload, installation, (de)activation, update, deletion. Themes upload, installation, activation, deletion. WordPress update. Pending security update in your plugins and themes. Stay protected against the latest WordPress security vulnerabilities To get the most efficient protection, NinjaFirewall can automatically update its security rules daily, twice daily or even hourly. Each time a new vulnerability is found in WordPress or one of its plugins/themes, a new set of security rules will be made available to protect your blog immediately. Strong Privacy Unlike a Cloud Web Application Firewall, or Cloud WAF, NinjaFirewall works and filters the traffic on your own server and infrastructure. That means that your sensitive data (contact form messages, customers credit card number, login credentials etc) remains on your server and is not routed through a third-party company’s servers, which could pose unnecessary risks (e.g., decryption of your HTTPS traffic in order to inspect it, employees accessing your data or logs in plain text, theft of private information, man-in-the-middle attack etc). Your website can run NinjaFirewall and be compliant with the General Data Protection Regulation (GDPR). See our blog for more details. IPv6 compatibility IPv6 compatibility is a mandatory feature for a security plugin: if it supports only IPv4, hackers can easily bypass the plugin by using an IPv6. NinjaFirewall natively supports IPv4 and IPv6 protocols, for both public and private addresses. Multi-site support NinjaFirewall is multi-site compatible. It will protect all sites from your network and its configuration interface will be accessible only to the Super Admin from the network main site. Possibility to prepend your own PHP code to the firewall You can prepend your own PHP code to the firewall with the help of an optional distributed configuration file. It will be processed before WordPress and all its plugins are loaded. This is a very powerful feature, and there is almost no limit to what you can do: add your own security rules, manipulate HTTP requests, variables etc. Low Footprint Firewall NinjaFirewall is very fast, optimised, compact, and requires very low system resource. See for yourself: download and install the Code Profiler plugin and compare NinjaFirewall’s performance with other security plugins. Non-Intrusive User Interface NinjaFirewall looks and feels like a built-in WordPress feature. It does not contain intrusive banners, warnings or flashy colors. It uses the WordPress simple and clean interface and is also smartphone-friendly. Contextual Help Each NinjaFirewall menu page has a contextual help screen with useful information about how to use and configure it. If you need help, click on the Help menu tab located in the upper right corner of each page in your admin panel. Need more security ? Check out our new supercharged edition: NinjaFirewall WP+ Edition Unix shared memory use for inter-process communication and blazing fast performances. IP-based Access Control. Role-based Access Control. Country-based Access Control via geolocation. URL-based Access Control. Bot-based Access Control. Import/Export the configuration from WP-CLI. Centralized Logging. Antispam for comment and user regisration forms. Rate limiting option to block aggressive bots, crawlers, web scrapers and HTTP attacks. Response body filter to scan the output of the HTML page right before it is sent to your visitors browser. Better File uploads management. Better logs management. Syslog logging. Learn more about the WP+ Edition unique features. Compare the WP and WP+ Editions. Requirements WordPress 4.9+ Admin/Superadmin with manage_options + unfiltered_html capabilities. PHP 7.1+ MySQL or MariaDB with MySQLi extension Apache / Nginx / LiteSpeed / Openlitespeed compatible Unix-like operating systems only (Linux, BSD etc). NinjaFirewall is NOT compatible with Microsoft Windows.
Top keywords
- ninjafirewall22×1.79%
- wordpress16×1.30%
- file15×1.22%
- php11×0.89%
- security10×0.81%
- firewall9×0.73%
- access7×0.57%
- blog7×0.57%
- control6×0.49%
- http6×0.49%
- only6×0.49%
- access control5×0.41%
Vigilant – 100% Free Security Suite
Premium Security. Zero Cost. Vigilant provides enterprise-level WordPress security features completely free. No premium version, no upsells, no hidden features behind paywalls. Protect your site with a complete security suite: firewall, two-factor authentication, brute force protection, security headers, file integrity monitoring, closed plugin detection, malware detection, user management, security audit logging, under attack mode and much more. Once activated, Vigilant immediately applies firewall rules against common attacks (SQL injection, XSS, file inclusion), security headers, login attempt monitoring, XML-RPC blocking, WordPress version hiding and sensitive file protection (.htaccess, wp-config.php), after automatically backing up your existing configuration files. One-Click Security Presets Choose a preset and get protected instantly: Standard – Balanced security suitable for most websites. Enables all modules with sensible defaults that won’t interfere with normal site operation. Maximum Security – Strictest settings for high-security sites. Tighter rate limits, stronger CSP rules, mandatory admin notifications. May require fine-tuning for some setups. You can always customize individual settings after applying a preset. Under Attack Mode Is your site under active attack? Activate Under Attack mode with one click and stop malicious traffic instantly: JavaScript challenge – Every visitor must pass an automatic browser verification before accessing your site. Real browsers solve it in seconds, bots get blocked completely Aggressive rate limiting – Requests limited to 30 per minute with 15-minute blocks for offenders HTTP method restriction – Only GET, POST and HEAD allowed; PUT, DELETE, PATCH, OPTIONS and TRACE are blocked Empty user agent blocking – Requests without a user agent header are rejected Full XML-RPC lockdown during the attack REST API restriction – Only authenticated users can access the REST API Auto-deactivation – Mode turns off after 4 hours so you never forget it’s on Email notifications when the mode activates and deactivates HMAC-signed cookies – Verified visitors get a signed cookie so they only see the challenge once Under Attack mode works independently from your preset configuration. Your regular settings are preserved and restored when the mode deactivates. Two-Factor Authentication (2FA) Add a second verification step to your WordPress login: Authenticator app (TOTP) – Google Authenticator, Authy, Microsoft Authenticator or any TOTP-compatible app Email codes – One-time 6-digit verification codes sent via email QR code setup directly in user profiles 10 backup codes for emergency access if you lose your device Configurable grace period for users to set up their authenticator app Trusted devices – optionally let users skip 2FA on recognized devices for 30 days Role-based enforcement – require 2FA for administrators, editors or any role Exclude specific users from 2FA requirements Admin tool to reset TOTP for users who lost their authenticator Configurable code expiry, attempt limits and email sender name User notification emails when 2FA is enabled or the method changes Firewall Protection Block malicious requests before they reach WordPress: SQL injection blocking XSS (Cross-Site Scripting) attack prevention File inclusion protection (LFI/RFI) Directory traversal blocking Bad query string filtering (catches generic suspicious patterns the specific blockers miss) Bad bot detection and blocking Block requests with empty user agent Block legacy HTTP/1.0 requests (almost always automated tools, never modern browsers) Rate limiting against DDoS and brute force, with optional progressive lockouts IP whitelist and blacklist management (IPv4 and IPv6, with CIDR ranges and wildcards) User-Agent whitelist and blacklist with partial matching Visitor IP detection control – read the real IP directly from the connection (a spoof-proof default) or from a proxy header when behind Cloudflare, a reverse proxy or a load balancer, with an admin notice if a proxy is detected but not configured HTTP method restriction Server-level file protection via .htaccess: block direct access to wp-config.php, .htaccess, wp-includes/ and sensitive files (.log, .sql, .bak, .ini, debug.log, readme.html, etc.), and optionally wp-cron.php external access Block PHP execution in /uploads (one of the most common post-exploit vectors) Disable directory browsing Login Security Stop unauthorized access attempts: Limit login attempts with configurable thresholds Progressive lockouts – longer blocks for repeat offenders Custom login URL – hide wp-login.php from bots Login URL change notifications to all admin-area users Hide login error messages – don’t reveal valid usernames XML-RPC disable, with a separate toggle for just the pingback method if you still need other XML-RPC features Application passwords control Email notification when an IP is blocked for exceeding login attempts Admin login notifications via email IP whitelist for trusted locations User Security Comprehensive user account protection: Block insecure usernames (admin, test, root, etc.) on new registrations Warn about existing users with insecure usernames so you can rename or remove them Block author scanning – intercept ?author=N URLs so WordPress doesn’t redirect them to /author/USERNAME/ and leak the login slug Force strong passwords with minimum length Password expiration with configurable intervals Password history – prevent reusing old passwords Force password reset – by specific users, by role, or all users (post-hack recovery) Session limits – control concurrent logins per user Session management – view and revoke active sessions Email verification for new registrations Registration approval workflow – manually approve new users Admin account monitoring – alerts for new admins, email changes, password changes, privilege escalation Display name protection – prevent exposing login username publicly Security Headers Achieve Grade A security ratings: Content Security Policy (CSP) with visual builder and Report-Only mode for safe testing before enforcing HSTS (HTTP Strict Transport Security) with includeSubdomains and preload options X-Frame-Options – prevent clickjacking X-Content-Type-Options – prevent MIME sniffing Referrer Policy control Permissions Policy (camera, microphone, geolocation, payment, USB) Cross-Origin policies (COEP, COOP, CORP) HTTPS enforcer with automatic mixed content fix Server fingerprint hiding – the Server: header is neutralized and X-Powered-By and other fingerprinting headers are stripped from responses File Integrity Monitoring Detect unauthorized changes to your files and compromised plugins: WordPress core verification against official checksums Plugin and theme file monitoring with WordPress.org checksums Critical config files (wp-config.php, .htaccess) monitored against baseline, detecting code injection even in files with no official checksum Closed and removed plugins detection – daily check against the WordPress.org repository, flagging any installed plugin closed for malware, security issues or guideline violations, including both explicit closures and silent “removed” takedowns, with per-slug Ignore for legacy plugins you can’t uninstall yet Line-level diff view of changes, with per-file approval workflow Suspicious code scanning for plugins and themes without checksums Extra file detection in plugins and themes (files not in original distribution) Uploads directory scanning for PHP files, double extensions and .htaccess, with smart classification of dangerous rules vs protective ones Root directory scanning for non-core PHP files (common attack vector) String concatenation obfuscation detection Configurable notification levels and an ignore list to dismiss known files Excluded paths and file extensions Scheduled automatic scans (daily, weekly) HTML formatted email alerts with severity sections, including a dedicated section for closed plugins Security Audit Track everything happening on your site: Successful and failed login attempts Two-factor authentication events User account changes (creation, deletion, role changes) Content modifications (posts, pages) Plugin and theme activations/deactivations Security events and blocked threats HTTP request method tracking and filtering (GET, POST, PUT, DELETE) Enhanced log detail popup with grouped sections and quick actions One-click add IP or User-Agent to firewall whitelist/blacklist from log entries Direct IP lookup links to AbuseIPDB Configurable retention period, CSV export, and filtering by event type, severity, request method or date Audit Alerts – get an email when the audit log points to something worth your attention, off by default and configured under Security Audit: Immediate alerts the moment a serious event is logged, by minimum severity (a new administrator, a closed plugin or a privilege escalation are all logged as Critical) Threshold alerts when a category spikes – firewall blocks, login failures, user, plugin, file integrity, security, system and content events – over a 30-minute, 1, 6 or 24 hour window, counting only warning and critical events so routine activity never trips them A single anti-repeat cooldown keeps a storm of events down to one notice instead of flooding your inbox Active alerts surface in Settings & Tools, the Dashboard, the Configuration Score and the Security Check “Send test email” button to confirm delivery Security Check On-demand security audit built into the Dashboard. No external services, no accounts, no API keys – everything runs on your server: 40+ checks across 6 categories: SSL/TLS, HTTP Headers, WP Exposure, Access & Auth, Sensitive Files and Internal Checks Single 0-100 score with A-E grade, plus per-category breakdown and explanatory details for every check 15 exclusive internal checks impossible from the outside: PHP end-of-life status, pending updates, inactive plugins, closed or removed plugins, file permissions, default salts detection, wp_ table prefix, admin username, administrators without 2FA enrolled, module status, recent audit errors, last File Integrity scan result and whether audit alerts are configured DNS-only reputation lookup against Spamhaus ZEN, Barracuda BRBL and SpamCop SCBL (informational – listings are flagged but don’t deduct from the score) Two-phase scan: fast local checks appear in under a second, remote checks stream in as they complete Weekly automatic scan with opt-in email alert if the score drops by 10+ points or a new critical check starts failing 30-scan history with sparkline trend and delta chip “Go to setting” fix link on every failing check, jumping straight to the exact Vigilant field that resolves it Smart header diagnostics that report “configured but not being served” when a cache/CDN overrides your headers WordPress Hardening Layered protection at the WordPress level – admin, content, head, feeds and database: Lock down the admin: disable the built-in plugin and theme file editor, block installations and updates from the admin area, and force HTTPS for the admin area. Compatible with any hosting layout, respecting values already in place and never overriding them Disable WordPress’s internal page-view cron when you already have a real server-side cron job configured Dashboard warning when debug mode is left enabled in production, so error output never leaks to visitors Hide your WordPress version everywhere it can leak: from the HTML head, from RSS and Atom feeds, and optionally from every script and style URL on the front-end (stripping only the WordPress version itself, leaving plugin and theme cache busting intact) Automatic daily removal of readme.html, license.txt and licencia.txt from the WordPress root, which otherwise expose your version HTML head cleanup – remove the RSD link, Windows Live Writer manifest, shortlink header and REST API discovery link Database hardening – check for the default wp_ table prefix and one-click rename tool with full backup before the change Comment security – honeypot field against spam bots, force moderation on every new comment, close comments on old posts, disable pingbacks and trackbacks Feed management – completely disable RSS and Atom feeds, or only disable them when the site has no published content REST API Security Control API access to your site: Three access modes: public (default WordPress behavior), authenticated only (closes the API to anonymous visitors), or selective (custom allow/block lists) Block user enumeration via /wp-json/wp/v2/users Protect any list of sensitive endpoints from anonymous access Per-plugin compatibility toggles so authenticated mode doesn’t break the front-end: WooCommerce, Contact Form 7, Gravity Forms, WPForms, Elementor, Jetpack. oEmbed and Site Health endpoints stay accessible by default Security Tools Utilities included: Database Backup – Download a full or partial database backup as ZIP with table selection Database Prefix Change – Change the default wp_ prefix to a random secure prefix Export/Import Settings – Transfer your configuration between sites Manual Backup – Create backups of .htaccess and wp-config.php on demand Reset to Defaults – Start fresh with one click Safe by Design Your existing .htaccess, wp-config.php and robots.txt are automatically backed up before any modifications. Backups are stored in the WordPress database, never as files under the web root, and verified with MD5 checksums. When you deactivate Vigilant, all security rules are automatically removed and your original configuration files are restored. No leftover code, no broken sites. Why Vigilant? Most WordPress security plugins reserve their best features for paid plans. Vigilant gives you everything upfront – no premium tier, no feature locks, no upsells. Firewall, 2FA with authenticator app, security headers, file integrity scanner, security audit, on-demand Security Check with weekly regression alerts, and more. All free, all maintained, all following WordPress coding standards. We maintain a detailed feature comparison between Vigilant and other popular security plugins (Wordfence, Solid Security, AIOS, Sucuri, SG Security). See what each offers in its free version and where Vigilant fills the gaps. → View the full comparison Support Need private support or custom development? Do you need one-on-one help, priority troubleshooting, or a custom feature, integration, or tweak built specifically for your site? I offer private support and custom development. Just contact me and tell me what you need. Need help or have suggestions? Official website WordPress support forum YouTube channel Documentation and tutorials Love the plugin? Please leave us a 5-star review and help spread the word! About AyudaWP We are specialists in WordPress security, SEO, AI and performance optimization plugins. We create tools that solve real problems for WordPress site owners while maintaining the highest coding standards and accessibility requirements.