Ready to get started?Download WordPress

Plugin Directory

WordPress Simple Firewall

Complete and Simple WordPress Security. Unrestricted, with no premium features.

The WordPress Simple Firewall is the only WordPress security plugin that protects itself - it will prevent access to its own settings so that unauthorized users can't deactivate or screw with your security settings.

An intro to the features and why you should use the Simple Firewall before getting all complicated with bulky security plugins.

Protects your WordPress site in 5 main ways:

Plugin Self-Protection

This plugins locks itself down - you can add access restriction to the plugin itself!

A Simple, Effective Firewall

Builds upon the simplicity and effectiveness of the WordPress Firewall 2 plugin.

WordPress Login Protection

Adds several layers of protection to the WordPress login screen through identity verification and Brute Force Login hacking prevention.

Comments and SPAM Protection

Uses and builds upon tried and tested SPAM prevention and filtering techniques with some unique approaches found only in this plugin.

WordPress Lockdown

Provides options for locking down your WordPress site from both legitimate users and people who may have gained unauthorized access.

Read more on each section below...

A Simple Firewall

The WordPress Simple Firewall is built to be reliable, and easy to use by anyone. Seriously, the interface is simple! :)

It adds extra features over WordPress Firewall 2, including:

  • 7 Simple, clear, Firewall blocking options - pick and choose for ultimate protection and compatibility.
  • Option: Ignore already logged-in Administrators so you don't firewall yourself as you work on the site.
  • Option: IP Address Whitelist. So you can vet your own IP addresses and 3rd Party Services.
  • Option: Developer option for 3rd Party Services to dynamically add IP Addresses to whitelist (our plugin is built to work with others!) E.g. iControlWP.
  • Option: IP Address Blacklist so you can completely block sites/services based on their IP address.
  • Option: to easily turn on / off the whole firewall without disabling the whole plugin! (so simple, but important)
  • Recovery Option: You can use FTP to manually turn ON/OFF the Firewall. This means if you accidentally lock yourself out, you can forcefully turn off the firewall using FTP. You can also turn back on the firewall using the same method.
  • Performance: When the firewall is running it is processing EVERY page load. So your firewall checking needs to be fast. This plugin is written to cache settings and minimize database access: 1-3 database calls per page load.
  • Logging: Full logging of Firewall (and other options) to analyse and debug your traffic and settings.
  • Option: Email when firewall blocks a page access - with option to specify recipient.
  • Option: Email throttling. If you get hit by a bot you wont get 1000s of email... you can throttle how many emails are sent. useful for 3rd party services that connect to the site using other plugins.

Basic functionality is based on the principles employed by the WordPress Firewall 2 plugin.

Login and Identity Protection - Stops Brute Force Attacks

Note: Login Protection is a completely independent feature to the Firewall. IP Address whitelists are not shared.

With our Login Protection features this plugin will single-handling prevent brute force login attack on all your WordPress sites.

It doesn't need IP Address Ban Lists (which are actually useless anyway), and instead puts hard limits on your WordPress site, and force users to verify themselves when they login.

As of version 1.2.0+ you now have several ways to add simple protection to your WordPress Login system.

  1. Email-based 2-Factor Login Authentication based on IP address! (prevents brute force login attacks)
  2. Login Cooldown Interval - WordPress will only process 1 login per interval in seconds (prevents brute force login attacks)
  3. GASP Anti-Bot Login Form Protection - Adds 2 protection checks for all WordPress login attempts (prevents brute force login attacks using Bots)

These options alone will protect your WordPress sites from nearly all forms of Brute Force login attacks.

And you hardly need to configure anything! Simply check the options to turn them on, set a cooldown interval and you're instantly protected.

SPAM and Comments Filtering

As of version 1.6, this plugin integrates GASP Spambot Protection.

We have taken this functionality a level further and added the concept of unique, per-page visit, Comment Tokens.

Comment Tokens are unique keys that are created every time a page loads and they are uniquely generated based on 3 factors:

  1. The visitors IP address.
  2. The Page they are viewing
  3. A unique, random number, generated at the time the page is loaded.

This is all handle automatically and your users will not be affected - they'll still just have a checkbox like the original GASP plugin.

These comment tokens are then embedded in the comment form and must be presented to your WordPress site when a comment is posted. The plugin will then examine the token, the IP address from which the comment is coming, and page upon which the comment is being posted. They must all match before the comment is accepted.

Furthermore, we place a cooldown (i.e. you must wait X seconds before you can post using that token) and an expiration on these comment tokens. The reasons for this are:

  1. Cooldown means that a spambot cannot load a page, read the unique comment token and immediately re-post a comment to that page. It must wait a while. This has the effect of slowing down the spambots, and, if the spambots get it wrong, they've wasted that token - as tokens can only be used once.
  2. Expirations mean that a spambot cannot get the token and use it whenever it likes, it must use it within the specfied time.

This all combines to make it much more difficult for spambots (and also human spammers as they have to now wait) to work their dirty magic :)

Requires: 3.2.0 or higher
Compatible up to: 3.9
Last Updated: 2014-4-14
Downloads: 33,222


5 stars
5 out of 5 stars


10 of 11 support threads in the last two months have been resolved.

Got something to say? Need help?


Not enough data

0 people say it works.
0 people say it's broken.

100,1,1 0,1,0 100,2,2 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1
0,1,0 100,1,1 100,1,1
100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,2,2 100,1,1
100,1,1 100,1,1 100,1,1 100,1,1