Plugin Directory

NinjaFirewall (WP Edition)

A true Web Application Firewall to protect and secure WordPress.


  • Fixed a bug introduced in v3.2.5 where the firewall could block attempts to update WordPress options.


  • Updated Anti-Malware signatures.
  • [WP+ Edition] Fixed a bug where notifications sent or displayed by NinjaFirewall were showing the load balancer IP when an alternate address was defined in the "Access Control > Source IP" section.
  • Blocked threats written to the firewall log will be hexencoded, to lower false positives from antivirus scanners.
  • The "Anti-Malware" operations and errors will be written to the /wp-content/nfwlog/cache/malscan.log log.
  • Improved local privilege escalation protection.
  • Minor fixes and adjustments.


  • Added a warning about the XMLRPC system.multicall option if the Jetpack plugin is installed.
  • Fixed a double-slash bug in filenames in the Anti-Malware results.
  • Updated Anti-Malware signatures.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.
  • Minor fixes and adjustments.


  • Fixed a bug that could prevent the Anti-Malware scanner to run if the ALTERNATE_WP_CRON method was enabled.
  • In a multisite environment, notifications will always be sent to the SuperAdmin by default, instead of the administrator of the site where originated the alert.
  • Fixed an issue where NinjaFirewall could wrongly flag a POST request as a BASE64 encoded injection attempt.
  • Updated Linux Malware Detect signatures.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.


  • Fixed a bug in subdomain-based multisites: the Super Admin was not whitelisted when accessing a sub-site and could not upload files.
  • Added the last scan date to the Anti-Malware page.
  • Fixed a typo in the Anti-Malware JavaScript code.
  • Added a warning to the Anti-Malware page if the scanning process seems to have unexpectedly terminated or was killed because it reached the PHP max_execution_time value allowed by your host.
  • Renamed the signatures file from .php to .txt to prevent it from being wrongly flagged by some antivirus.
  • Minor fixes and adjustments.


  • [v3.2.1] Fixed a small bug introduced in v3.2 (see below) in the "Anti-Malware" page: the animated GIF didn't load because it was blocked by the .htaccess mod_rewrite rules. This issue affected Apache users only. Sorry for the inconvenience.
  • [v3.2] Added a new feature: "Anti-Malware". It allows you to scan your website for malware. The scanning engine is compatible with the popular Linux Malware Detect LMD (whose anti-malware signatures are included with this release) and with some ClamAV signatures as well. You can even write your own anti-malware signatures. See our blog for more details about that: http://nin.link/maldet/
  • [v3.2] Fixed a JavaScript warning in the "File Check" page.
  • [v3.2] Minor fixes and adjustments.


  • Fixed a bug in the "Daily Report": on the first day of each month, the report was empty because of the monthly log rotation.
  • Fixed a bug in the "Plugins" page where NinjaFirewall "Settings" link was not accessible in a multisite environment.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.
  • It is possible to import the configuration from the WP Edition to the WP+ Edition.
  • Minor fixes and adjustments.
  • NinjaFirewall's icon displayed in the admin dashboard menu was converted to grayscale.


  • It is possible to exclude multiple files/folders in the "File Guard" options page (multiple values must be comma-separated).
  • The "Firewall Policies" sanitise options (GET, COOKIE etc) will replace all less-than and greater-than signs with their corresponding HTML entities.
  • The "X-XSS-Protection" and "HttpOnly flag" options from the "Firewall Policies" page will be enabled by default with new installations of NinjaFirewall.
  • [WP+ Edition] Added an option to select the number of log lines to display (see "Firewall Log > Log Options").
  • Minor fixes and adjustments.


  • Added a new option to whitelist all logged in users in addition to the Administrator. This can be set up from the new "Firewall Policies > Users Whitelist" option. Note that this feature was added to the free WP Edition only, as the premium WP+ Edition can whitelist users depending on their Role, IP etc.
  • [WP+ Edition] Geolocation access control can apply to the whole site or to some specific URLs only (e.g., /wp-login.php, /xmlrpc.php etc). See the "Access Control > Geolocation Access Control > Geolocation should apply to the whole site or specific URLs" option.
  • [WP+ Edition] Added an option to the "Firewall Log" page to export the log as a TSV (tab-separated values) text file.
  • [WP+ Edition] The "Delete" button from the "Firewall Log" page was moved above the textarea, beside the "Export" new button, and can be used to delete the currently viewed log.
  • Minor fixes.
  • We launched NinjaFirewall Referral Program. If you are interested in joining the program, please follow this link: http://nin.link/referral/
  • Updated security rules.


  • Fixed a PHP notice in the "Firewall Policies" page.
  • NinjaFirewall will always search for the wp-config.php script in the current folder or, if it cannot find it, in the parent folder (there is no need to use the .htninja configuration script for that purpose).
  • The "Protect against username enumeration > Through the author archives" policy will be disabled by default when installing NinjaFirewall.
  • The "WordPress XML-RPC API > Block only system.multicall method" policy will be enabled by default when installing NinjaFirewall.


  • This is a major update: NinjaFirewall has a brand new, powerful and awesome filtering engine. Please see our blog for a complete description: http://nin.link/sensei/
  • Added many new security rules.
  • Fixed a bug where NinjaFirewall was unable to retrieve the DB password from the wp-config.php file if it contained a double-quote character.
  • The Firewall Policies "Force SSL for admin", "Disable the plugin and theme editor" and "Disable plugin and theme update/installation" options will be disabled if their respective constants have been defined elsewhere (e.g., in wp-config.php).
  • Minor fixes.
  • [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.

Requires: 3.3.0 or higher
Compatible up to: 4.6.1
Last Updated: 3 weeks ago
Active Installs: 10,000+


4.7 out of 5 stars


5 of 9 support threads in the last two months have been marked resolved.

Got something to say? Need help?


Not enough data

1 person says it works.
0 people say it's broken.

100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1
100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1
100,2,2 100,2,2 100,4,4
100,3,3 100,2,2 100,1,1 100,1,1
100,1,1 100,2,2 67,3,2 100,3,3 75,4,3 100,2,2 100,1,1 100,1,1
100,1,1 100,1,1 100,1,1
100,1,1 100,4,4 100,4,4 100,3,3 100,3,3
100,1,1 100,1,1 100,2,2
100,2,2 100,6,6 100,5,5 100,1,1 100,2,2 100,3,3 100,1,1 100,1,1
100,1,1 100,3,3 100,2,2 100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1
100,3,3 100,6,6 100,2,2
100,1,1 100,1,1
100,2,2 100,1,1
100,1,1 100,6,6 100,5,5 80,5,4 100,3,3 100,3,3 100,3,3 100,1,1 100,1,1
100,2,2 100,1,1
100,2,2 100,1,1
100,3,3 100,3,3 100,2,2 100,4,4 100,2,2 100,1,1
100,2,2 100,2,2 100,1,1
100,1,1 100,2,2 100,1,1 100,4,4 100,2,2
100,2,2 100,3,3 100,1,1
100,2,2 100,1,1 100,1,1