Plugin Directory

NinjaFirewall (WP Edition)

A true Web Application Firewall to protect and secure WordPress.


  • If you want to upgrade your server from PHP 5 to PHP 7, please check our blog for potential issues: http://nin.link/php7/
  • During the installation process, NinjaFirewall will add the correct PHP 5 or PHP 7 directive to the .htaccess if the server is running Apache with mod_php.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.


  • Fixed UI compatibility issues with WordPress 4.4.
  • Fixed an "undefined offset" PHP notice while creating the daily activity report.
  • Fixed a bug in "File Check" where the processing time was not updated after creating a snapshot.
  • Fixed a bug in "File Check" where the symlinks option was not displayed if the exclusion list was empty.
  • Fixed a bug where non-admin users were blocked from accessing the editor if the "Protect against username enumeration > Through the author archives" firewall policy was enabled.


  • Removed the update_core capability that was required to access NinjaFirewall settings because if the DISALLOW_FILE_MODS option from the "Firewall Policies" page was enabled, the admin could no longer access NinjaFirewall.


  • The firewall decoding routine was rewritten to be much more efficient. It is faster and can better detect advanced evasion techniques.
  • Added a new constant: NFW_DONT_USE_SSL. Because NinjaFirewall downloads its rules over an HTTPS secure connection, if your server does not support SSL you can ask it to use a non-secure connection by adding the following directive to your wp-config.php file: define('NFW_DONT_USE_SSL', 1);
  • The security rules are no longer included inside the install.php script because some security scanners could wrongly flag them as suspicious. Instead, they will be downloaded from the WordPress repo during the installation or update of NinjaFirewall.
  • The Strict-Transport-Security response header in the Firewall Policies page has a new option to send an empty max-age to signal the user-agent to cease regarding the host as a known HSTS Host, while disabling the HSTS option will not return any header at all.
  • Accessing NinjaFirewall menu and settings will now require the following three capabilities: manage_options, update_core and unfiltered_html. Previously, only the manage_options capability was needed (see our blog for more info about it: http://nin.link/nfwaa ).
  • Added a new constant: NFW_ALLOWED_ADMIN. It can be used to allow only selected administrators to access NinjaFirewall configuration (see our blog for more info about it: http://nin.link/nfwaa ).
  • NinjaFirewall will prevent any user, including the administrator, to edit its code from the WordPress built-in plugin editor.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.
  • Updated security rules.


  • Added protection to block WordPress XMLRPC brute-force amplification attacks using the system.multicall method (see "Firewall Policies > WordPress XML-RPC API").
  • A daily report will be sent to the administrator every morning. It is enabled by default and can be disabled from the "Event Notifications > Daily report" menu.
  • Added a button to immediately update the firewall security rules (See "Updates > Check For updates Now!").
  • Fixed a bug with the "Import Configuration" option: NinjaFirewall updates cronjob was not re-enabled when importing its configuration.
  • Updated security rules.
  • [WP+ Edition] Fixed a bug in the Overview page that could show contradictory messages about whitelisted administrator.
  • [WP+ Edition] Added the server IP(s) to the "Access Control > Source IP" section.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.
  • Minor fixes and improvements.


  • Improved firewall engine to handle double-encoding used in query strings to perform advanced SQLi and XSS attempts.
  • Improved Base64-encoded injection detection.
  • Updated links and doc.
  • Removed green 'OK' icons from the Overview page. Only warning and error icons will be used.
  • Updated security rules.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.


  • Internationalization support. The POT file is included in the /languages/ folder.
  • French (fr_FR) language added.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.
  • Updated security rules.
  • Minor fixes and improvements.


  • Fixed a bug in the firewall that could corrupt the content of a POST or GET array.
  • It is now possible to send notifications and alerts to multiple recipients (see "Event Notifications > Contact email").
  • After each scan, "File Check" will always keep the list of the previous changes rather than deleting it.
  • Updates log is sorted in reverse order.
  • [WP+ Edition] Whitelisted and blacklisted IPs are sorted using "natural order" algorithm in the "Access Control" page.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.
  • Updated security rules.


  • The path to NinjaFirewall's log/cache directory can be changed with the NFW_LOG_DIR constant (see http://nintechnet.com/ninjafirewall/wp-edition/help/?htninja for more details).
  • Disabling NinjaFirewall will disable the brute-force protection as well.
  • When importing its configuration, NinjaFirewall will ensure that the server is compatible with the HTTP response headers option, otherwise it will disable that option.
  • The installer will return an error message if the PHP mysqli extension is not loaded.
  • Fixed PHP warning on systems that do not support exclusive locks.
  • Fixed potential PHP warning when headers are wrongly sent by another plugin before NinjaFirewall starts a PHP session.
  • Loosened Base64 decoder rules to reduce the risk of false-positives.
  • Updated security rules.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.
  • [WP+ Edition] Added a warning to the antispam protection about caching plugins.


  • "File Guard" email alert will contain the date/time the file was last changed, rather than the date/time the detection occurred.
  • The "Refresh Rate" and "Autoscrolling" options from the "Live Log" menu will be remembered when changed.
  • "Live Log" has a new option to select the timezone to display.
  • The firewall will always ensure that REMOTE_ADDR contains only one IP or will remove any extra IP.
  • NinjaFirewall will not block but only warn if DISABLE_WP_CRON is defined (applies to "File Check" and "Updates").
  • It is possible to set the Strict-Transport-Security (HSTS) header if the client has the HTTP_X_FORWARDED_PROTO set to 'https' (Firewall Policies > HTTP response headers).
  • Notification emails will either use the home_url() or site_url() function depending on the type of notification.
  • The firewall will no longer sanitise user input when running in "Debugging Mode", but will only write the event to its log.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.
  • [WP+ Edition] The antispam will not block any message if NinjaFirewall is running in "Debugging Mode".
  • Updated security rules.
  • Minor fixes and improvements.


  • Added a new feature: "Updates". It can automatically update NinjaFirewall's built-in security rules in order to keep your blog protected against the latest WordPress vulnerabilities, without having to update the whole plugin. For more info, please see NinjaFirewall WP/WP+ introduces automatic updates for security rules.
  • Updated security rules.
  • Minor fixes and improvements.


  • The firewall can now use some very specific rules to block an action from the logged in administrator even if he/she is whitelisted. Such rules will only be used to protect against CSRF and maliciously crafted links specifically targeting the administrator.
  • The firewall engine can now chain two different security rules in order to provide a better and more accurate filtering mechanism.
  • Updated security rules.
  • Session handling was slightly modified for sites running PHP 5.4+.
  • NinjaFirewall will display a warning in the "Overview" page if it detects that a buggy plugin may have destroyed the current PHP session.
  • Added a new option to "Live Log" that allows you to select which traffic you want to view (HTTP and/or HTTPS).
  • Minor fixes and improvements.


  • Updated security rules to block several new vulnerabilities (e.g., WordPress SEO by Yoast).


  • Fixed PHP error (blank screen after last update) for sites running PHP 5.3. NOTE: if you are still using PHP 5.3 consider upgrading your PHP version because it is no longer supported since Aug 2014 and using older versions may expose you to security vulnerabilities and bugs that have been fixed in more recent versions of PHP. In addition, you won't be able to use some features of NinjaFirewall that require at least PHP 5.4.


  • Added an option to customize the log format in Live Log (see "Live Log > Options > Log format").
  • Added a new HTTP response header: Strict-Transport-Security, to defend against cookie hijacking and Man-in-the-Middle attacks (see "Firewall Policies > HTTP response headers").
  • Updated security rules.
  • When importing NinjaFirewall configuration from another site, File Check configuration will not be imported.
  • Fixed an "Undefined index: php_ini_type" PHP notice during the installation process.
  • Fixed some minor typos and bugs.


  • Added a new feature: "Live Log". It lets you watch your website traffic in real time.
  • Fixed a bug in the "Event Notifications" email alert: after an update, the name of the (re)activated plugin was missing.
  • It is now possible to create the ".htninja" optional configuration file in either the document root or its parent directory (see http://nintechnet.com/ninjafirewall/wp-edition/help/?htninja ).
  • NinjaFirewall will not block access to the TinyMCE WYSIWYG editor even if the option to block direct access to any PHP file located in the /wp-includes/ folder is enabled (see "Firewall Policies" page).


  • Added protection against the FancyBox for WordPress 0-day vulnerability.


  • Updated security rules.
  • Added an option to select HHVM (HipHop Virtual Machine) during the installation process. See our blog about installing NinjaFirewall on HHVM (http://nin.link/hhvm).
  • The plugin and theme editors will no longer be disabled by default.
  • The maximum length of the username and password from the "Login Protection" option was increased to 32 characters.
  • Added an option to exclude a folder from being monitored by File Guard (see "File Guard > Exclude the following folder" option).
  • The installer will send an email to the administrator with some info and links that could be helpful if there was a problem or crash during NinajFirewall installation/activation.
  • The installer will comment out any auto_prepend_file directive that may be found in the PHP INI file prior to insert its own one.
  • The database monitoring option will save its data to a file whose name will be based on the blog_id and site_id variables to prevent potential false detection alerts.
  • [WP+ Edition] The priority of the antispam add filter and add_action hooks was lowered in order to execute them earlier.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.


  • Added a new option to monitor the database and send an alert if an administrator account is created, modified or deleted (see "Event Notifications > Database").
  • Added a "Processing time" legend to File Check snapshot description to display the time it took to perform the scan.
  • Updated security rules.
  • On new installations, File Guard will be enabled by default.
  • NinjaFirewall will refuse to install if the WordPress /plugins/ directory was renamed.
  • Fixed a bug in File Check scheduled scan: it was not disabled when deactivating NinjaFirewall.


  • File Check can now run scheduled scans on a specific interval (hourly, twicedaily or daily) and send reports by email (see "File Check > Options" menu and its contextual help).
  • Added an option to select Apache/suPHP SAPI during the installation process.
  • Added an option to write all events/alerts to the firewall log (see "Event Notifications > Log").
  • Loosened cookies sanitizing rules to reduce the risk of false-positives.


  • Updated security rules to protect against new Slider Revolution/Showbiz Pro shell upload exploit (http://nin.link/fd78).


  • Added a new set of options that can hook the HTTP response headers, including cookies, and modify them on-the-fly to help mitigate threats such as XSS, phishing and clickjacking attacks (see "Firewall Policies > HTTP response headers").
  • Updated security rules.
  • The function detecting if the firewall is enabled was rewritten and is more accurate and flexible.
  • File Check will display date & time using the blog timezone rather than the user localtime.


  • Added a new feature that can detect changes made to your files (see "File Check" menu and its contextual help).
  • Updated security rules.


  • Added a drop-down menu to the "Statistics" page to select and view stats from the previous months.
  • Added a drop-down menu to the "Firewall Log" page to select and view logs from the previous months.
  • New simpler and intuitive installer.
  • Fixed the FORCE_SSL_ADMIN alert that was unnecessarily displayed when the site was already in HTTPS mode.
  • Fixed a potential bug in the user enumeration protection that could block a legitimate user.
  • Added a warning to WordPress admin console if the log directory does not exist.
  • Added missing MIME and charset headers to all emails sent by the firewall.
  • Updated "File Guard" contextual help.
  • Updated security rules.
  • Fixed various small bugs and typos.


  • Added an option to import/export NinjaFirewall configuration (see "Firewall Options" page).
  • The firewall logs will be saved to the wp-content/nfwlog/ folder, to prevent WordPress from deleting them during an update.
  • Added a warning to the "Overview" page if the administrator is not whitelisted by the firewall.
  • Non-RFC compliant uppercase IPv6 addresses found in the X_FORWARDED_FOR header will no longer be blocked by the firewall (rule #312).
  • Rules #151 and #152 (HTTP header injection) were removed to prevent false positives from occurring.
  • The "AUTH log" option from the "Login Protection" page will be disabled if the server does not support it.
  • Cookies and GET variable sanitizing, as well as HTTP_REFERER scan will be disabled by default in the Firewall Policies page.
  • Added a rule to protect against the shellshock bash code injection vulnerability (CVE-2014-6271).


  • Added a new option to record brute-force attacks to the server AUTH log (see Login Protection > AUTH log).
  • NinjaFirewall is now able to parse the wp-config.php script if the DB_HOST constant is using a "host:port", "host:socket" or "host:port:socket" format.
  • Fixed installer bug that could corrupt the .htaccess.
  • Fixed Cloudflare and Incapsula detection warning in the "Overview" page. It will not be displayed when the correct IP is used.
  • We opened a Twitter account for all updates and upgrades: @nintechnet.


  • Fixed IE browsers italic text bug in the File Guard page.
  • Updated security rules.
  • Cleaned-up installer and removed useless lines of code.
  • Added rules description to the enabled and disabled rules drop-down lists (see Rules Editor).
  • Fixed "Invalid argument supplied for foreach" PHP notice.
  • Fixed "Undefined variable: auth_pass" (potential) PHP notice.
  • Fixed the XML-RPC checkbox in the "Login Protection" page. It is now visible when the protection is set to "Always ON".
  • Added reverse proxy/load balancer detection. A message in the "Overview" page will warn the admin about setting up the server or NinjaFirewall in order to use the correct IP.


  • Fixed login protection rejecting username/password on some servers running Apache PHP-CGI with suExec. NinjaFirewall will now use its own very fast authentication scheme rather than relying on the server HTTP Basic authentication.
  • The length of the firewall log lines was increased from 100 to 200 characters.
  • Fixed potential 500 Internal Server error during installation on Apache servers that do not have the mod_env module loaded.
  • Added Cloudflare and Incapsula detection. A message in the "Overview" page will warn the admin about setting up the server or NinjaFirewall in order to use the correct IP.
  • Updated security rules.


  • The brute-force attack protection was extended to the XML-RPC API script (xmlrpc.php). See the "Login Protection" page and its contextual help.
  • Fixed error when multibyte characters were used in the firewall "Blocked user message".
  • Updated security rules.
  • Fixed a couple of bugs in the UI (smartphone users).


  • Security update: added protection against the new ThimThumb vulnerability (WebShot Remote Code Execution).


  • Added a new feature that can detect, in real-time, any access to a PHP file that was recently modified or created, and can alert the administrator (see new "File Guard" menu and its contextual help).
  • Added a call to stripslashes() to prevent WordPress from escaping quotes in the "Login Protection" password.
  • The length of the "Login Protection" message (realm) was increased from 100 to 150 characters.
  • Removed a small piece of code from the "Login Protection" that could block some browsers.


  • Fixed a bug introduced in v1.1.9 : login alerts were not sent. Sorry for the inconvenience.


  • NinjaFirewall is now fully compatible with IPv6.
  • All logs will have a .php extension in order to be protected by NinjaFirewall if the HTTP server does not support .htaccess (Nginx, Lighttpd, Cherokee, OpenLiteSpeed etc).
  • Fixed a small JS issue in the "Login Protection" page (the 'onChange' event wasn't working well with IE browsers).
  • The firewall blocked message will now return by default around 700 bytes only, instead of 8Kb.
  • Introducing a new supercharded edition of NinjaFirewall (see "WP+ Edition" page).


  • Updated firewall rules.
  • Fixed a bug where notifications were not sent to the contact email address given by the user ("Event Notifications" page).
  • The "Protect against username enumeration" option ("Firewall Policies" page) will not be enabled by default, to prevent Google bot from being blocked.
  • Modified the handling of session_start.
  • Added a stats file to summarize the firewall log statistics in order to speed up the display of the dashboard widget when the log is huge.
  • Added new features to the .htninja file to quickly allow or block visitors. See http://nintechnet.com/ninjafirewall/wp-edition/help/?htninja for full details.


  • Updated firewall rules.
  • Tweaked security rules ID 100 and 300 to reduce false positives.
  • Fixed some code and minor errors.


  • Updated firewall rules.
  • Added an option to sanitise HTTP REQUEST variables ("Firewall Policies" page).
  • Added NinjaFirewall Statistics widget to WP dashboard.
  • Fixed multiple file upload error.
  • Fixed a bug where login alerts were sent even when NinjaFirewall was disabled from the "Firewall Options" menu.
  • NinjaFirewall status icon in the admin bar (multi-site installation) will always be visible to the Super Admin, even when it is disabled.
  • Log file and stats will be saved and restored after upgrading NinjaFirewall.


  • Updated firewall rules.
  • Improved admin UI to offer better smartphones compatibility.
  • Fixed a bug where the localhost IP was not blacklisted.
  • Fixed a bug where some disabled Firewall Policies options were wrongly accessible from the Rules Editor.
  • Renamed E-mail Alerts menu to Event Notifications.


  • Updated firewall rules.
  • Fixed potential session timeout for the logged-in admin.
  • Fixed dead links in doc.
  • Improved installer/uninstaller.
  • Added a warning to the firewall status page if the log directory is not writable.
  • Fixed an undefined NFW_DOC_ROOT constant warning.


  • Added an option to block username enumeration scanning attempts through the author archives and the login page (Firewall Policies page).
  • Added an option to always enforce HTTP Basic authentication to protect the login page and the possibility to set a custom 'realm' message (Login Protection page).
  • Added an optional configuration file that can be used to tell NinjaFirewall where is located the wp-config.php file, in the case it was moved to another directory (see http://nintechnet.com/ninjafirewall/wp-edition/help/?htninja for full details).
  • Added a warning about blocking direct access to PHP scripts located in the /wp-includes/ directory because it could prevent non-admin users from using the TinyMCE WYSIWYG editor.


  • Updated firewall rules.
  • Added an option to block access to WordPress XML-RPC API (Firewall Policies page).
  • Better error handling (critical errors will be displayed in the admin console only).
  • Fixed a bug where NinjaFirewall brute-force protection was always triggered by the login modals introduced in WordPress 3.6.
  • Firewall rules and options are now using WP_CONTENT_DIR constant.
  • The installer will attempt to detect if WordPress files were installed into a subdirectory different from the root directory.


  • Added protection against very large brute-force attacks, including distributed attacks coming from several thousands of different IPs (see new Login Protection menu).
  • Fixed firewall initialisation error due to user defined WP_CONTENT_DIR.
  • Fixed a bug where an extended ASCII code could make the log unreadable from WP admin console.


  • Added multi-site network support.
  • Added an option to decode and scan Base64 encoded values in POST requests (Firewall Policies page).


  • Added an E-mail Alerts configuration page to send alerts on specific events (users login, themes/plugins installation, activation, deletion etc).
  • Added Privacy Policy to the About page and to the installer.


  • Added a Rules Editor menu to enable/disable built-in rules individually.
  • Fixed installation issue with Listespeed HTTP server when using Apache-style configuration directives (php_value).
  • Added a call to stripslashes() to prevent WordPress from escaping quotes in the "Blocked user message" textarea.


  • Updated firewall rules.
  • Added extensive contextual help to the Firewall Policies page.
  • Fixed some code, minor errors and typos.


  • Fixed a Call to undefined function flatten() error message.
  • NinjaFirewall will warn and refuse to install if SAFE_MODE is enabled with PHP 5.3+.


  • Initial release.

Requires: 3.3.0 or higher
Compatible up to: 4.4.2
Last Updated: 2 days ago
Active Installs: 9,000+


4.7 out of 5 stars


17 of 34 support threads in the last two months have been marked resolved.

Got something to say? Need help?


Not enough data

1 person says it works.
0 people say it's broken.

100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1
100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1
100,2,2 100,2,2 100,4,4
100,3,3 100,2,2 100,1,1 100,1,1
100,1,1 100,2,2 67,3,2 100,3,3 75,4,3 100,2,2 100,1,1 100,1,1
100,1,1 100,1,1 100,1,1
100,1,1 100,4,4 100,4,4 100,3,3 100,3,3
100,1,1 100,1,1 100,2,2
100,2,2 100,6,6 100,5,5 100,1,1 100,2,2 100,3,3 100,1,1 100,1,1
100,1,1 100,3,3 100,2,2 100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1
100,3,3 100,6,6 100,2,2
100,1,1 100,1,1
100,1,1 100,6,6 100,5,5 80,5,4 100,3,3 100,3,3 100,3,3