Plugin Directory

NinjaFirewall (WP edition)

A true Web Application Firewall to protect and secure WordPress.


  • Internationalization support. The POT file is included in the /languages/ folder.
  • French (fr_FR) language added.
  • [WP+ edition] Updated IPv4/IPv6 GeoIP databases.
  • Updated security rules.
  • Minor fixes and improvements.


  • Fixed a bug in the firewall that could corrupt the content of a POST or GET array.
  • It is now possible to send notifications and alerts to multiple recipients (see "Event Notifications > Contact email").
  • After each scan, "File Check" will always keep the list of the previous changes rather than deleting it.
  • Updates log is sorted in reverse order.
  • [WP+ edition] Whitelisted and blacklisted IPs are sorted using "natural order" algorithm in the "Access Control" page.
  • [WP+ edition] Updated IPv4/IPv6 GeoIP databases.
  • Updated security rules.


  • The path to NinjaFirewall's log/cache directory can be changed with the NFW_LOG_DIR constant (see http://ninjafirewall.com/wordpress/htninja/#nfwlogdir for more details).
  • Disabling NinjaFirewall will disable the brute-force protection as well.
  • When importing its configuration, NinjaFirewall will ensure that the server is compatible with the HTTP response headers option, otherwise it will disable that option.
  • The installer will return an error message if the PHP mysqli extension is not loaded.
  • Fixed PHP warning on systems that do not support exclusive locks.
  • Fixed potential PHP warning when headers are wrongly sent by another plugin before NinjaFirewall starts a PHP session.
  • Loosened Base64 decoder rules to reduce the risk of false-positives.
  • Updated security rules.
  • [WP+ edition] Updated IPv4/IPv6 GeoIP databases.
  • [WP+ edition] Added a warning to the antispam protection about caching plugins.


  • "File Guard" email alert will contain the date/time the file was last changed, rather than the date/time the detection occurred.
  • The "Refresh Rate" and "Autoscrolling" options from the "Live Log" menu will be remembered when changed.
  • "Live Log" has a new option to select the timezone to display.
  • The firewall will always ensure that REMOTE_ADDR contains only one IP or will remove any extra IP.
  • NinjaFirewall will not block but only warn if DISABLE_WP_CRON is defined (applies to "File Check" and "Updates").
  • It is possible to set the Strict-Transport-Security (HSTS) header if the client has the HTTP_X_FORWARDED_PROTO set to 'https' (Firewall Policies > HTTP response headers).
  • Notification emails will either use the home_url() or site_url() function depending on the type of notification.
  • The firewall will no longer sanitise user input when running in "Debugging Mode", but will only write the event to its log.
  • [WP+ edition] Updated IPv4/IPv6 GeoIP databases.
  • [WP+ edition] The antispam will not block any message if NinjaFirewall is running in "Debugging Mode".
  • Updated security rules.
  • Minor fixes and improvements.


  • Added a new feature: "Updates". It can automatically update NinjaFirewall's built-in security rules in order to keep your blog protected against the latest WordPress vulnerabilities, without having to update the whole plugin. For more info, please see NinjaFirewall WP/WP+ introduces automatic updates for security rules.
  • Updated security rules.
  • Minor fixes and improvements.


  • The firewall can now use some very specific rules to block an action from the logged in administrator even if he/she is whitelisted. Such rules will only be used to protect against CSRF and maliciously crafted links specifically targeting the administrator.
  • The firewall engine can now chain two different security rules in order to provide a better and more accurate filtering mechanism.
  • Updated security rules.
  • Session handling was slightly modified for sites running PHP 5.4+.
  • NinjaFirewall will display a warning in the "Overview" page if it detects that a buggy plugin may have destroyed the current PHP session.
  • Added a new option to "Live Log" that allows you to select which traffic you want to view (HTTP and/or HTTPS).
  • Minor fixes and improvements.


  • Updated security rules to block several new vulnerabilities (e.g., WordPress SEO by Yoast).


  • Fixed PHP error (blank screen after last update) for sites running PHP 5.3. NOTE: if you are still using PHP 5.3 consider upgrading your PHP version because it is no longer supported since Aug 2014 and using older versions may expose you to security vulnerabilities and bugs that have been fixed in more recent versions of PHP. In addition, you won't be able to use some features of NinjaFirewall that require at least PHP 5.4.


  • Added an option to customize the log format in Live Log (see "Live Log > Options > Log format").
  • Added a new HTTP response header: Strict-Transport-Security, to defend against cookie hijacking and Man-in-the-Middle attacks (see "Firewall Policies > HTTP response headers").
  • Updated security rules.
  • When importing NinjaFirewall configuration from another site, File Check configuration will not be imported.
  • Fixed an "Undefined index: php_ini_type" PHP notice during the installation process.
  • Fixed some minor typos and bugs.


  • Added a new feature: "Live Log". It lets you watch your website traffic in real time.
  • Fixed a bug in the "Event Notifications" email alert: after an update, the name of the (re)activated plugin was missing.
  • It is now possible to create the ".htninja" optional configuration file in either the document root or its parent directory (see http://ninjafirewall.com/wordpress/htninja/ ).
  • NinjaFirewall will not block access to the TinyMCE WYSIWYG editor even if the option to block direct access to any PHP file located in the /wp-includes/ folder is enabled (see "Firewall Policies" page).


  • Added protection against the FancyBox for WordPress 0-day vulnerability.


  • Updated security rules.
  • Added an option to select HHVM (HipHop Virtual Machine) during the installation process. See our blog about installing NinjaFirewall on HHVM (http://nin.link/hhvm).
  • The plugin and theme editors will no longer be disabled by default.
  • The maximum length of the username and password from the "Login Protection" option was increased to 32 characters.
  • Added an option to exclude a folder from being monitored by File Guard (see "File Guard > Exclude the following folder" option).
  • The installer will send an email to the administrator with some info and links that could be helpful if there was a problem or crash during NinajFirewall installation/activation.
  • The installer will comment out any auto_prepend_file directive that may be found in the PHP INI file prior to insert its own one.
  • The database monitoring option will save its data to a file whose name will be based on the blog_id and site_id variables to prevent potential false detection alerts.
  • [WP+ edition] The priority of the antispam add filter and add_action hooks was lowered in order to execute them earlier.
  • [WP+ edition] Updated IPv4/IPv6 GeoIP databases.


  • Added a new option to monitor the database and send an alert if an administrator account is created, modified or deleted (see "Event Notifications > Database").
  • Added a "Processing time" legend to File Check snapshot description to display the time it took to perform the scan.
  • Updated security rules.
  • On new installations, File Guard will be enabled by default.
  • NinjaFirewall will refuse to install if the WordPress /plugins/ directory was renamed.
  • Fixed a bug in File Check scheduled scan: it was not disabled when deactivating NinjaFirewall.


  • File Check can now run scheduled scans on a specific interval (hourly, twicedaily or daily) and send reports by email (see "File Check > Options" menu and its contextual help).
  • Added an option to select Apache/suPHP SAPI during the installation process.
  • Added an option to write all events/alerts to the firewall log (see "Event Notifications > Log").
  • Loosened cookies sanitizing rules to reduce the risk of false-positives.


  • Updated security rules to protect against new Slider Revolution/Showbiz Pro shell upload exploit (http://nin.link/fd78).


  • Added a new set of options that can hook the HTTP response headers, including cookies, and modify them on-the-fly to help mitigate threats such as XSS, phishing and clickjacking attacks (see "Firewall Policies > HTTP response headers").
  • Updated security rules.
  • The function detecting if the firewall is enabled was rewritten and is more accurate and flexible.
  • File Check will display date & time using the blog timezone rather than the user localtime.


  • Added a new feature that can detect changes made to your files (see "File Check" menu and its contextual help).
  • Updated security rules.


  • Added a drop-down menu to the "Statistics" page to select and view stats from the previous months.
  • Added a drop-down menu to the "Firewall Log" page to select and view logs from the previous months.
  • New simpler and intuitive installer.
  • Fixed the FORCE_SSL_ADMIN alert that was unnecessarily displayed when the site was already in HTTPS mode.
  • Fixed a potential bug in the user enumeration protection that could block a legitimate user.
  • Added a warning to WordPress admin console if the log directory does not exist.
  • Added missing MIME and charset headers to all emails sent by the firewall.
  • Updated "File Guard" contextual help.
  • Updated security rules.
  • Fixed various small bugs and typos.


  • Added an option to import/export NinjaFirewall configuration (see "Firewall Options" page).
  • The firewall logs will be saved to the wp-content/nfwlog/ folder, to prevent WordPress from deleting them during an update.
  • Added a warning to the "Overview" page if the administrator is not whitelisted by the firewall.
  • Non-RFC compliant uppercase IPv6 addresses found in the X_FORWARDED_FOR header will no longer be blocked by the firewall (rule #312).
  • Rules #151 and #152 (HTTP header injection) were removed to prevent false positives from occurring.
  • The "AUTH log" option from the "Login Protection" page will be disabled if the server does not support it.
  • Cookies and GET variable sanitizing, as well as HTTP_REFERER scan will be disabled by default in the Firewall Policies page.
  • Added a rule to protect against the shellshock bash code injection vulnerability (CVE-2014-6271).


  • Added a new option to record brute-force attacks to the server AUTH log (see Login Protection > AUTH log).
  • NinjaFirewall is now able to parse the wp-config.php script if the DB_HOST constant is using a "host:port", "host:socket" or "host:port:socket" format.
  • Fixed installer bug that could corrupt the .htaccess.
  • Fixed Cloudflare and Incapsula detection warning in the "Overview" page. It will not be displayed when the correct IP is used.
  • We opened a Twitter account for all updates and upgrades: @nintechnet.


  • Fixed IE browsers italic text bug in the File Guard page.
  • Updated security rules.
  • Cleaned-up installer and removed useless lines of code.
  • Added rules description to the enabled and disabled rules drop-down lists (see Rules Editor).
  • Fixed "Invalid argument supplied for foreach" PHP notice.
  • Fixed "Undefined variable: auth_pass" (potential) PHP notice.
  • Fixed the XML-RPC checkbox in the "Login Protection" page. It is now visible when the protection is set to "Always ON".
  • Added reverse proxy/load balancer detection. A message in the "Overview" page will warn the admin about setting up the server or NinjaFirewall in order to use the correct IP.


  • Fixed login protection rejecting username/password on some servers running Apache PHP-CGI with suExec. NinjaFirewall will now use its own very fast authentication scheme rather than relying on the server HTTP Basic authentication.
  • The length of the firewall log lines was increased from 100 to 200 characters.
  • Fixed potential 500 Internal Server error during installation on Apache servers that do not have the mod_env module loaded.
  • Added Cloudflare and Incapsula detection. A message in the "Overview" page will warn the admin about setting up the server or NinjaFirewall in order to use the correct IP.
  • Updated security rules.


  • The brute-force attack protection was extended to the XML-RPC API script (xmlrpc.php). See the "Login Protection" page and its contextual help.
  • Fixed error when multibyte characters were used in the firewall "Blocked user message".
  • Updated security rules.
  • Fixed a couple of bugs in the UI (smartphone users).


  • Security update: added protection against the new ThimThumb vulnerability (WebShot Remote Code Execution).


  • Added a new feature that can detect, in real-time, any access to a PHP file that was recently modified or created, and can alert the administrator (see new "File Guard" menu and its contextual help).
  • Added a call to stripslashes() to prevent WordPress from escaping quotes in the "Login Protection" password.
  • The length of the "Login Protection" message (realm) was increased from 100 to 150 characters.
  • Removed a small piece of code from the "Login Protection" that could block some browsers.


  • Fixed a bug introduced in v1.1.9 : login alerts were not sent. Sorry for the inconvenience.


  • NinjaFirewall is now fully compatible with IPv6.
  • All logs will have a .php extension in order to be protected by NinjaFirewall if the HTTP server does not support .htaccess (Nginx, Lighttpd, Cherokee, OpenLiteSpeed etc).
  • Fixed a small JS issue in the "Login Protection" page (the 'onChange' event wasn't working well with IE browsers).
  • The firewall blocked message will now return by default around 700 bytes only, instead of 8Kb.
  • Introducing a new supercharded edition of NinjaFirewall (see "WP+ Edition" page).


  • Updated firewall rules.
  • Fixed a bug where notifications were not sent to the contact email address given by the user ("Event Notifications" page).
  • The "Protect against username enumeration" option ("Firewall Policies" page) will not be enabled by default, to prevent Google bot from being blocked.
  • Modified the handling of session_start.
  • Added a stats file to summarize the firewall log statistics in order to speed up the display of the dashboard widget when the log is huge.
  • Added new features to the .htninja file to quickly allow or block visitors. See http://ninjafirewall.com/wordpress/htninja/ for full details.


  • Updated firewall rules.
  • Tweaked security rules ID 100 and 300 to reduce false positives.
  • Fixed some code and minor errors.


  • Updated firewall rules.
  • Added an option to sanitise HTTP REQUEST variables ("Firewall Policies" page).
  • Added NinjaFirewall Statistics widget to WP dashboard.
  • Fixed multiple file upload error.
  • Fixed a bug where login alerts were sent even when NinjaFirewall was disabled from the "Firewall Options" menu.
  • NinjaFirewall status icon in the admin bar (multi-site installation) will always be visible to the Super Admin, even when it is disabled.
  • Log file and stats will be saved and restored after upgrading NinjaFirewall.


  • Updated firewall rules.
  • Improved admin UI to offer better smartphones compatibility.
  • Fixed a bug where the localhost IP was not blacklisted.
  • Fixed a bug where some disabled Firewall Policies options were wrongly accessible from the Rules Editor.
  • Renamed E-mail Alerts menu to Event Notifications.


  • Updated firewall rules.
  • Fixed potential session timeout for the logged-in admin.
  • Fixed dead links in doc.
  • Improved installer/uninstaller.
  • Added a warning to the firewall status page if the log directory is not writable.
  • Fixed an undefined NFW_DOC_ROOT constant warning.


  • Added an option to block username enumeration scanning attempts through the author archives and the login page (Firewall Policies page).
  • Added an option to always enforce HTTP Basic authentication to protect the login page and the possibility to set a custom 'realm' message (Login Protection page).
  • Added an optional configuration file that can be used to tell NinjaFirewall where is located the wp-config.php file, in the case it was moved to another directory (see http://ninjafirewall.com/wordpress/htninja/ for full details).
  • Added a warning about blocking direct access to PHP scripts located in the /wp-includes/ directory because it could prevent non-admin users from using the TinyMCE WYSIWYG editor.


  • Updated firewall rules.
  • Added an option to block access to WordPress XML-RPC API (Firewall Policies page).
  • Better error handling (critical errors will be displayed in the admin console only).
  • Fixed a bug where NinjaFirewall brute-force protection was always triggered by the login modals introduced in WordPress 3.6.
  • Firewall rules and options are now using WP_CONTENT_DIR constant.
  • The installer will attempt to detect if WordPress files were installed into a subdirectory different from the root directory.


  • Added protection against very large brute-force attacks, including distributed attacks coming from several thousands of different IPs (see new Login Protection menu).
  • Fixed firewall initialisation error due to user defined WP_CONTENT_DIR.
  • Fixed a bug where an extended ASCII code could make the log unreadable from WP admin console.


  • Added multi-site network support.
  • Added an option to decode and scan Base64 encoded values in POST requests (Firewall Policies page).


  • Added an E-mail Alerts configuration page to send alerts on specific events (users login, themes/plugins installation, activation, deletion etc).
  • Added Privacy Policy to the About page and to the installer.


  • Added a Rules Editor menu to enable/disable built-in rules individually.
  • Fixed installation issue with Listespeed HTTP server when using Apache-style configuration directives (php_value).
  • Added a call to stripslashes() to prevent WordPress from escaping quotes in the "Blocked user message" textarea.


  • Updated firewall rules.
  • Added extensive contextual help to the Firewall Policies page.
  • Fixed some code, minor errors and typos.


  • Fixed a Call to undefined function flatten() error message.
  • NinjaFirewall will warn and refuse to install if SAFE_MODE is enabled with PHP 5.3+.


  • Initial release.

Requires: 3.3.0 or higher
Compatible up to: 4.3
Last Updated: 2015-8-16
Active Installs: 6,000+


4.6 out of 5 stars


14 of 30 support threads in the last two months have been resolved.

Got something to say? Need help?


Not enough data

2 people say it works.
0 people say it's broken.

100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1
100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1
100,2,2 100,2,2 100,4,4
100,3,3 100,2,2 100,1,1 100,1,1
100,1,1 100,2,2 67,3,2 100,3,3 75,4,3 100,2,2 100,1,1 100,1,1
100,1,1 100,1,1 100,1,1
100,1,1 100,4,4 100,4,4 100,3,3 100,3,3
100,1,1 100,1,1 100,2,2
100,2,2 100,6,6 100,5,5 100,1,1 100,2,2 100,3,3 100,1,1 100,1,1
100,1,1 100,3,3 100,2,2 100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1
100,3,3 100,6,6 100,2,2
100,1,1 100,1,1