Ready to get started?Download WordPress

Plugin Directory

WordPress Simple Firewall

Complete and Simple WordPress Security. Unrestricted, with no premium features.


  • ADD: Add various WordPress security features dynamically that would otherwise require wp-config.php editing.
  • CHANGE: Interface to give a better "At-A-Glance" Dashboard summary view, that also allows you to turn on/off core features.


  • FEATURE: Added 'Lockdown' feature to force login to WordPress over SSL.
  • FEATURE: Added 'Lockdown' feature to force WordPress Admin dashboard to be delivered over SSL.
  • FIX: Admin restricted access feature wasn't disabled with the "forceOff" option.


  • FIX: How WordPress Automatic/Background Updates filters worked was changed with WordPress 3.8.2.


  • UPDATED: Translations. And confirmed compatibility with WordPress 3.9


  • FEATURE: Option to Prevent Remote Posting to the WordPress Login system. Will check that the login form was submitted from the same site.


  • UPDATED: Translations and added some partials (Catalan, Persian)
  • FIX: for cleanup cron running on non-existent tables.


  • FEATURE: Two-Factor Authenticated Login using Yubikey One Time Passwords (OTP).


  • ADDED: Translations: Spanish, Italian, Turkish. (~15% complete)
  • UPDATED: Hebrew Translations (100%)


  • ADDED: Contextual help links for many options. More to come...
  • ADDED: More Portuguese (Brazil) translations (~80%)


  • ADDED: More strings to the translation set for better multilingual support
  • ADDED: Portuguese (Brazil) translations (~40%)
  • UPDATED: Hebrew Translations
  • FIXED: Automatic cleaning of database logs wasn't actually working as expected. Should now be fixed.


  • NEW: Option to enable Two-Factor Authentication based on Cookie. In this way you can tie a user session to a single browser.
  • FIX: Better WordPress Multisite (WPMS) Support.


  • FIX: Automatic updating of itself.


  • ADDED: Hebrew Translations. Thanks Ahrale!
  • ADDED: Automatic trimming of the Firewall access log to 7 days - it just grows too large otherwise.
  • FIX: The previously added automatic clean up of old comments and login protect database entries was wiping out the valid login protect entries and was forcing users to re-login every 24hrs.
  • FIX: Some small bugs, errors, and PHPDoc Comments.


  • ADDED: Automatic cleaning of GASP Comments Filter and Login Protection database entries (older than 24hrs) using WordPress Cron (everyday @ 6am)
  • CHANGED: Huge code refactoring to allow for more easily use with other WordPress plugins.


  • ADDED: Email sending options for automatic update notifications - options to change the notification email address, or turn it off completely.


  • FIX: Small bug fix.
  • CHANGED: When running a force automatic updates process, tries to remove influence from other plugins and uses only this plugin's automatic updates settings.
  • CHANGED: A bit of automatic updates code refactoring.


  • CHANGED: Changed all options to be disabled by default.
  • CHANGED: The option for admin notices will turn off all main admin notices except after you update options.


  • ADDED: Verified compatibility with WordPress 3.8


  • CHANGED: Certain filesystem calls are more compatible with restrictive hosting environments.
  • CHANGED: Plugin is now ready to integate with iControlWP automatic background updates system.
  • FIX: Login Protection Cooldown feature may not operate properly in certain scenarios.


  • IMPROVED: Improved logic for Firewall whitelisting for pages and parameters to ensure whitelisting rules are followed.
  • CHANGED: The whitelisting rule for posting pages/posts is only for the "content" and the firewall checking will apply to all other page parameters.


  • FIX: When you run the Force Automatic Background Updates, it disables the plugins. This problem is now fixed.


  • FIX: A bug that prevented auto-updates of this plugin.
  • FIX: Not being able to hide translations and upgrade notices.
  • ADDED: Tweaks to auto-update feature to allow interfacing with the iControlWP service to customize the auto update system.


  • ADDED: A button that lets you run the WordPress Automatic Updates process on-demand (so you don't have to wait for WordPress cron).
  • CHANGED: The plugin now sets more options to be turned on by default when the plugin is first activated.
  • CHANGED: A lot of optimizations and code refactoring.


  • FIX: Whoops, sorry, accidentally removed the option to toggle "disable file editing". It's back now.


  • CHANGED: WordPress filters used to programmatically update whitelists now update the Login Protection IP whitelist


  • ADDED: Localization capabilities. All we need now are translators! Go here to get started.
  • ADDED: Option to mask the WordPress version so the real version is never publicly visible.


  • CHANGED: Simplified the automatic WordPress Plugin updates into 1 filter for consistency


  • ADDED: Increased admin access security features - blocks the deactivation of itself if you're not authenticated fully with the plugin.
  • ADDED: If you're not authenticated with the plugin, the plugin listing view wont have 'Deactivate' or 'Edit' links.


  • ADDED: New WordPress Automatic Updates Configuration settings


  • ADDED: Notification of available plugin upgrade is now an option under the 'Dashboard'
  • CHANGED: Certain admin and upgrade notices now only appear when you're authenticated with the plugin (if this is enabled)
  • FIXED: PHP Notice with undefined index.


  • ADDED: Feature- Access Key Restriction more info.
  • ADDED: Feature- WordPress Lockdown. Currently only provides 1 option, but more to come.


  • CHANGED: Reworked a lot of the plugin to optimize for further performance.
  • FIX: Potential infinite loop in processing firewall.


  • ADDED: Much more efficiency yet again in the loading/saving of the plugin options.


  • ADDED: Preliminary WordPress Multisite (WPMS/WPMU) Support.
  • CHANGED: The Firewall now kicks in on the 'plugins_loaded' hook instead of as the actual firewall plugin is initialized (as a result of WP Multisite support).


  • REMOVED: Automatic upgrade option until I can ascertain what caused the plugin to auto-disable.


  • ADDED: Options to fully customize the text displayed by the GASP comments section.
  • ADDED: Option to include logged-in users in the GASP Comments Filter.


  • ADDED: A new section - 'Comments Filtering' that will form the basis for filtering comments with SPAM etc.
  • ADDED: Option to add enhanced GASP based comments filtering to prevent SPAM bots posting comments to your site.


  • IMPROVED: Whitelist/Blacklist IP range processing to better cater for ranges when saving, with more thorough checking.
  • IMPROVED: Whitelist/Blacklist IP range processing for 32-bit systems.
  • FIXED: A bug with Whitelist/Blacklist IP checking.


  • FIXED: Quite a few bugs fixed.


  • FIXED: Typo error.


  • FIXED: Some of the firewall processors were saving unnecessary data.



  • FIXED: Bug fix where IP address didn't show in email.
  • FIXED: Attempt to fix problem where update message never hides.


  • ADDED: A new IP whitelist on the Login Protect that lets you by-pass login protect rules for given IP addresses.
  • REMOVED: Firewall rule for wp-login.php and whitelisted IPs.


  • ADDED: The plugin now has an option to automatically upgrade itself when an update is detected - enabled by default.


  • ADDED: The plugin will now displays an admin notice when a plugin upgrade is available with a link to immediately update.
  • ADDED: Plugin collision: removes the main hook by 'All In One WordPress Security'. No need to have both plugins running.
  • ADDED: Improved Login Cooldown Feature- works more like email throttling as it now uses an extra filesystem-based level of protection.
  • FIXED: Login Cooldown Feature didn't take effect in certain circumstances.


  • ADDED: All-new plugin options handling making them more efficient, easier to manage/update, using far fewer WordPress database options.
  • CHANGED: Huge improvements on database calls and efficiency in loading plugin options.
  • FIXED: Nonce implementation.


  • FIXED: Small compatibility issue with Quick Cache menu not showing.


  • ADDED: Email Throttle Feature - this will prevent you getting bombarded by 1000s of emails in case you're hit by a bot.
  • ADDED: Another Firewall die() option. New option will print a message and uses the wp_die() function instead.
  • ADDED: Refactored and improved the logging system (upgrading will delete your current logs!).
  • ADDED: Option to separately log Login Protect features.
  • ADDED: Option to by-pass 2-factor authentication in the case sending the verification email fails (so you don't get locked out if your hosting doesn't support email!).
  • CHANGED: Login Protect checking now better logs out users immediately with a redirect.
  • CHANGED: We now escape the log data being printed - just in case there's any HTML/JS etc in there we don't want.
  • CHANGED: Optimized and cleaned a lot of the option caching code to improve reliability and performance (more to come).


  • FIX: Bug where the GASP Login protection was only working when you had 2-factor authentication enabled.


  • ADDED: Ability to import settings from WordPress Firewall 2 plugin options - note, doesn't import page and variables whitelisting.
  • FIX: A reported bug - parameter values could also be arrays.


  • ADDED: New Feature - Option to add a checkbox that blocks automated SPAM Bots trying to log into your site.
  • ADDED: Added a clear user message when they verify their 2-factor authentication.
  • FIX: A few bugfixes and logic corrections.


  • CHANGED: Documentation on the dashboard, and the message after installing the firewall have been updated to be clearer and more informative.
  • FIX: A few bugfixes and logic corrections.


  • FIX: bugfix.


  • FIX: Some warnings and display bugs.


  • ADDED: New Feature - Login Wait Interval. To reduce the effectiveness of brute force login attacks, you can add an interval by which WordPress will wait before processing any more login attempts on a site.
  • CHANGED: Optimized some settings for performance.
  • CHANGED: Cleaned up the UI when the Firewall / Login Protect features are disabled (more to come).
  • CHANGED: Further code improvements (more to come).


  • ADDED: New Feature - Login Protect. Added 2-Factor Login Authentication for all users and their associated IP addresses.
  • CHANGED: The method for processing the IP address lists is improved.
  • CHANGED: Improved .htaccess rules (thanks MickeyRoush)
  • CHANGED: Mailing method now uses WP_MAIL
  • CHANGED: Lot's of code improvements.


  • ADDED: Option to include Cookies in the firewall checking.


  • ADDED: Ability to whitelist particular pages and their parameters (see FAQ)
  • CHANGED: Quite a few improvements made to the reliability of the firewall processing.


  • FIX: Left test path in plugin.


  • ADDED: Option to completely ignore logged-in Administrators from the Firewall processing (they wont even trigger logging etc).
  • ADDED: Ability to (un)blacklist and (un)whitelist IP addresses directly from within the log.
  • ADDED: helpful link to IP WHOIS from within the log.


  • CHANGED: Logging now has its own dedicated database table.


  • Fix: Block notification emails weren't showing the user-friendly IP Address format.


  • You can now specify IP ranges in whitelists and blacklists. To do this separate the start and end address with a hypen (-) E.g. For everything between and, you would do:
  • You can now specify which email address to send the notification emails.
  • You can now add a comment to IP addresses in the whitelist/blacklist. To do this, write your IP address then type a SPACE and write whatever you want (don't take a new line).
  • You can now set to delete ALL firewall settings when you deactivate the plugin.
  • Improved formatting of the firewall log.


  • First Release

Requires: 3.2.0 or higher
Compatible up to: 3.9
Last Updated: 2014-4-14
Downloads: 33,067


5 stars
5 out of 5 stars


11 of 12 support threads in the last two months have been resolved.

Got something to say? Need help?


Not enough data

0 people say it works.
0 people say it's broken.

100,1,1 0,1,0 100,2,2 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1
0,1,0 100,1,1 100,1,1
100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,2,2 100,1,1
100,1,1 100,1,1 100,1,1 100,1,1