WordPress.org

Plugin Directory

Test out the new Plugin Directory and let us know what you think.

NinjaFirewall (WP Edition)

A true Web Application Firewall to protect and secure WordPress.

3.4.1

  • Fixed a bug introduced yesterday in v3.4, where some JetPack users could get a "Sorry, you are not allowed to access this page" error message.

3.4

  • NinjaFirewall can now be installed in two different modes: either "Full WAF" mode (via the PHP auto_prepend_file directive, as usual) or "WordPress WAF" mode (via the wp-config.php script). See our blog for more info: http://nin.link/wafmode/
  • Added two options regarding the new WP REST API: to block any access to the API (see "Firewall Policies > WordPress REST API") or only username enumeration (see "Firewall Policies > Protect against username enumeration").
  • Added an option to block serialized PHP objects found inside a GET or POST request, cookies, user agent and referrer variables. (see the "Firewall Policies > PHP" section).
  • Added an option to send a notification to the administrator when NinjaFirewall detects and blocks a privilege escalation attempt (see the "Event Notifications > Administrator account" section).
  • The "File Guard" files/folders exclusion list can contain now up to 255 characters (vs 155 previously).
  • Updated "Anti-Malware" signatures.
  • Several small fixes and adjustments.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.

3.3.3

  • Improved the filtering engine cache for better reliability and speed.
  • Added an option to block Pingbacks without having to disable the whole XML-RPC API (see "Firewall Policies > WordPress XML-RPC API > Block Pingbacks").
  • Fixed a "nfwhook_load_textdomain invalid function name" PHP error (WP Edition only).
  • Fixed "Cache-Control" header in the firewall blocked message.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.
  • Improved verbose logging in case of error during the "Anti-Malware" scan.

3.3.2

  • Added "max_execution_time" directive to "File Check" to prevent time-out.
  • Updated Anti-Malware signatures.
  • The security rules updates option will be enabled by default with new installations of NinjaFirewall.
  • If the administrator is whitelisted by the brute-force protection, a notice will be displayed on the WordPress login page.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.
  • [WP+ Edition] The "Block scripts, ELF and system files upload" will also block Microsoft executable files (MZ header).
  • Minor fixes and adjustments.

3.3.1

  • [WP+ Edition] Added a new feature: "Centralized Logging". It allows you to remotely access the firewall log of all your NinjaFirewall protected websites from one single installation, without having to log in to individual servers to analyse your log data (see our blog for more info about that: http://nin.link/centlog/ ).
  • Added a new "Content-Security-Policy" option that can be set up separately for the frontend and backend of the site (see "Firewall Policies > HTTP response headers > Content-Security-Policy").
  • On French language installations running WordPress 4.6 or above, NinjaFirewall will force WordPress to use the fr_FR translation file that is fully translated and included with this release, instead of the partially translated one from wordpress.org.
  • [WP+ Edition] Added "PUT" and "DELETE" methods to the "NinjaFirewall > Access Control > HTTP Methods" section.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.
  • [WP+ Edition] Fixed a bug in the firewall log: blocked threats were not hex-decoded before exporting the log.
  • [WP+ Edition] Fixed a bug in the shared memory feature where, in some cases, deactivating NinjaFirewall from the "Plugins" page would not disable the firewall because the shared memory segment used to store its rules was not deleted upon exit.
  • The "SERVER_NAME" environment variable will be always appended to each firewall log line (it was previously available only on multisite installations).
  • The "X-Content-Type-Options" header will be enabled by default with new installations of NinjaFirewall.
  • Updated Anti-Malware signatures.
  • Minor fixes and adjustments.

3.2.6

  • Fixed a bug introduced in v3.2.5 where the firewall could block some third-party plugins to update WordPress options.

3.2.5

  • Updated Anti-Malware signatures.
  • [WP+ Edition] Fixed a bug where notifications sent or displayed by NinjaFirewall were showing the load balancer IP when an alternate address was defined in the "Access Control > Source IP" section.
  • Blocked threats written to the firewall log will be hexencoded, to lower false positives from antivirus scanners.
  • The "Anti-Malware" operations and errors will be written to the /wp-content/nfwlog/cache/malscan.log log.
  • Improved privilege escalation protection.
  • Minor fixes and adjustments.

3.2.4

  • Added a warning about the XMLRPC system.multicall option if the Jetpack plugin is installed.
  • Fixed a double-slash bug in filenames in the Anti-Malware results.
  • Updated Anti-Malware signatures.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.
  • Minor fixes and adjustments.

3.2.3

  • Fixed a bug that could prevent the Anti-Malware scanner to run if the ALTERNATE_WP_CRON method was enabled.
  • In a multisite environment, notifications will always be sent to the SuperAdmin by default, instead of the administrator of the site where originated the alert.
  • Fixed an issue where NinjaFirewall could wrongly flag a POST request as a BASE64 encoded injection attempt.
  • Updated Linux Malware Detect signatures.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.

3.2.2

  • Fixed a bug in subdomain-based multisites: the Super Admin was not whitelisted when accessing a sub-site and could not upload files.
  • Added the last scan date to the Anti-Malware page.
  • Fixed a typo in the Anti-Malware JavaScript code.
  • Added a warning to the Anti-Malware page if the scanning process seems to have unexpectedly terminated or was killed because it reached the PHP max_execution_time value allowed by your host.
  • Renamed the signatures file from .php to .txt to prevent it from being wrongly flagged by some antivirus.
  • Minor fixes and adjustments.

3.2.1

  • [v3.2.1] Fixed a small bug introduced in v3.2 (see below) in the "Anti-Malware" page: the animated GIF didn't load because it was blocked by the .htaccess mod_rewrite rules. This issue affected Apache users only. Sorry for the inconvenience.
  • [v3.2] Added a new feature: "Anti-Malware". It allows you to scan your website for malware. The scanning engine is compatible with the popular Linux Malware Detect LMD (whose anti-malware signatures are included with this release) and with some ClamAV signatures as well. You can even write your own anti-malware signatures. See our blog for more details about that: http://nin.link/maldet/
  • [v3.2] Fixed a JavaScript warning in the "File Check" page.
  • [v3.2] Minor fixes and adjustments.

3.1.3

  • Fixed a bug in the "Daily Report": on the first day of each month, the report was empty because of the monthly log rotation.
  • Fixed a bug in the "Plugins" page where NinjaFirewall "Settings" link was not accessible in a multisite environment.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.
  • It is possible to import the configuration from the WP Edition to the WP+ Edition.
  • Minor fixes and adjustments.
  • NinjaFirewall's icon displayed in the admin dashboard menu was converted to grayscale.

3.1.2

  • It is possible to exclude multiple files/folders in the "File Guard" options page (multiple values must be comma-separated).
  • The "Firewall Policies" sanitise options (GET, COOKIE etc) will replace all less-than and greater-than signs with their corresponding HTML entities.
  • The "X-XSS-Protection" and "HttpOnly flag" options from the "Firewall Policies" page will be enabled by default with new installations of NinjaFirewall.
  • [WP+ Edition] Added an option to select the number of log lines to display (see "Firewall Log > Log Options").
  • Minor fixes and adjustments.

3.1

  • Added a new option to whitelist all logged in users in addition to the Administrator. This can be set up from the new "Firewall Policies > Users Whitelist" option. Note that this feature was added to the free WP Edition only, as the premium WP+ Edition can whitelist users depending on their Role, IP etc.
  • [WP+ Edition] Geolocation access control can apply to the whole site or to some specific URLs only (e.g., /wp-login.php, /xmlrpc.php etc). See the "Access Control > Geolocation Access Control > Geolocation should apply to the whole site or specific URLs" option.
  • [WP+ Edition] Added an option to the "Firewall Log" page to export the log as a TSV (tab-separated values) text file.
  • [WP+ Edition] The "Delete" button from the "Firewall Log" page was moved above the textarea, beside the "Export" new button, and can be used to delete the currently viewed log.
  • Minor fixes.
  • We launched NinjaFirewall Referral Program. If you are interested in joining the program, please follow this link: http://nin.link/referral/
  • Updated security rules.

3.0.1

  • Fixed a PHP notice in the "Firewall Policies" page.
  • NinjaFirewall will always search for the wp-config.php script in the current folder or, if it cannot find it, in the parent folder (there is no need to use the .htninja configuration script for that purpose).
  • The "Protect against username enumeration > Through the author archives" policy will be disabled by default when installing NinjaFirewall.
  • The "WordPress XML-RPC API > Block only system.multicall method" policy will be enabled by default when installing NinjaFirewall.

3.0

  • This is a major update: NinjaFirewall has a brand new, powerful and awesome filtering engine. Please see our blog for a complete description: http://nin.link/sensei/
  • Added many new security rules.
  • Fixed a bug where NinjaFirewall was unable to retrieve the DB password from the wp-config.php file if it contained a double-quote character.
  • The Firewall Policies "Force SSL for admin", "Disable the plugin and theme editor" and "Disable plugin and theme update/installation" options will be disabled if their respective constants have been defined elsewhere (e.g., in wp-config.php).
  • Minor fixes.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.

Requires: 3.3.0 or higher
Compatible up to: 4.7.1
Last Updated: 2 weeks ago
Active Installs: 10,000+

Ratings

4.7 out of 5 stars

Support

18 of 27 support threads in the last two months have been marked resolved.

Got something to say? Need help?

Compatibility

+
=
Not enough data

2 people say it works.
0 people say it's broken.

100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1
100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1 100,1,1 100,1,1
100,1,1
100,1,1 100,1,1
100,1,1
100,2,2 100,2,2 100,4,4
100,3,3 100,2,2 100,1,1 100,1,1
100,1,1 100,2,2 67,3,2 100,3,3 75,4,3 100,2,2 100,1,1 100,1,1
100,1,1 100,1,1 100,1,1
100,1,1 100,4,4 100,4,4 100,3,3 100,3,3
100,1,1 100,1,1 100,2,2
100,2,2 100,6,6 100,5,5 100,1,1 100,2,2 100,3,3 100,1,1 100,1,1
100,1,1 100,3,3 100,2,2 100,1,1 100,1,1 100,1,1 100,1,1
100,1,1
100,1,1 100,1,1
100,2,2
100,3,3 100,6,6 100,2,2
100,1,1
100,1,1 100,1,1
100,2,2 100,1,1
100,1,1 100,6,6 100,5,5 80,5,4 100,3,3 100,3,3 100,3,3 100,1,1 100,1,1
100,1,1
100,1,1
100,2,2 100,1,1
100,2,2 100,1,1
100,3,3 100,3,3 100,2,2 100,4,4 100,2,2 100,1,1
100,2,2 100,2,2 100,1,1
100,1,1
100,1,1 100,2,2 100,1,1 100,4,4 100,2,2
100,2,2 100,3,3 100,1,1
100,2,2 100,1,1 100,1,1
100,1,1 100,1,1 100,1,1 100,2,2 100,1,1
100,1,1 100,1,1 100,2,2
100,2,2