This plugin hasn’t been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

This plugin has been closed and is no longer available for download.

WordPress Firewall 2


This is an updated version of the popular WordPress Firewall plugin, with fixes for all known bugs and a few new features!

This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. There are a few powerful, generic modules that do this; but they’re not always installed on web servers, and usually difficult to configure.

This plugin intelligently whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.

Originally developed by SEO Egghead and released as WordPress Firewall.


  • Full screenshot of the plugin.


  1. Download the plugin.
  2. Unzip the file that you downloaded.
  3. Upload the contained program “wordpress-firewall-2.php” to your “wp-content/plugins/” folder.


Upgrading from WordPress Firewall v1.25
  1. Deactivate the plugin WordPress Firewall v1.25.
  2. Delete the plugin from your plugins folder.
  3. Install WordPress Firewall 2 (see installation instructions).
  4. Your previous settings will be restored and used.
What does this thing actually do?

Lots of stuff – here’s the list:

  • Detect, intecept, and log suspicious-looking parameters — and prevent them compromising WordPress.
  • Also protect most WordPress plugins from the same attacks.
  • Respond with an innocuous-looking 404, or a home page redirect.
  • Optionally send an email to you with a useful dump of information upon blocking a potential attack.
  • Turn on or off directory traversal attack detection.
  • Turn on or off SQL injection attack detection.
  • Turn on or off WordPress-specific SQL injection attack detection.
  • Turn on or off blocking executable file uploads.
  • Turn on or off remote arbitrary code injection detection.
  • Add whitelisted IPs.
  • Add additional whitelisted pages and/or fields to allow pages/plugins/etc to get through when desirable.
  • Optionally configure as the first plugin to load for maximum security.



i ve just made some changes. i havent seen any problem yet. plugin is working. i’ll also try to make some penetration testings on my blog and will check if the firewall works well.

function WP_firewall_check_exclusions() {
	$request_string = WP_firewall_check_whitelisted_variable();

	if ( is_admin() ) {

	if($request_string == false) {
		//nothing to do
	} else {

im using BPS and with that function is working properly on line : 158 chanhe with that:

if ( is_admin() ) {
Read all 4 reviews

Contributors & Developers

“WordPress Firewall 2” is open source software. The following people have contributed to this plugin.


Translate “WordPress Firewall 2” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



  • Fixed known bugs
  • Added plain text email option
  • IP of plugin activator added by default
  • Other small, miscellaneous updates.
  • Now maintained by Matthew Pavkov


  • First release.
  • Developed by SEO Egghead


  • Unreleased.