Support » Plugin: NinjaFirewall (WP Edition) - Advanced Security Plugin and Firewall » NinjaFirewall and the General Data Protection Regulation (GDPR).
For a full version of this article covering all NinjaFirewall versions/editions, please consult: https://blog.nintechnet.com/ninjafirewall-general-data-protection-regulation-compliance/
NinjaFirewall (WP Edition) is compliant with the General Data Protection Regulation (GDPR) which will take effect on May 25, 2018. It is required because, as a firewall, it saves IP addresses to a log which is stored on your server. Note that we, NinTechNet – the authors, do not collect any private data from your visitors and do not have access to your logs.
In order to be compliant, NinjaFirewall offers two different options: Automatic log deletion or IP anonymisation.
Automatic deletion of old log files
Available since version 3.6.2, it is disabled by default. It can be configured from the “NinjaFirewall > Firewall Log” page:
I recommend to keep the firewall logs for at least a month or, better, 45 days before deleting them. If there were security issues with your website, you could consult them for digital forensic purposes.
NinjaFirewall doesn’t save its logs in the database, instead they are all stored on disk, inside the wp-content/nfwlog/ folder:
Disabled by default, this option is available in the “NinjaFirewall > Firewall Options” page:
It will anonymize IP addresses (IPv4 and IPv6) by replacing their last 3 characters with the
xcharacter. Here’s an example of an anonymized IP in the firewall log:
03/Apr/18 20:03:05 #4835755 CRITICAL 2 90.142.231.xxx GET /index.php - GET /wp-admin/admin-ajax.php - Unrestricted file upload - [GET:client_action = get_captions_css]
As indicated, this option does not apply to:
- Private IP addresses: There is no need to anonymize them, they aren’t routable.
- The “Login Protection”: It refers to the “Write the incident to the server Authentication log” feature from the brute-force attack protection which is used to forward the offender’s IP to the server authentication log in order to block it at the server level, usually via a third-party application such as Fail2Ban. For obvious reasons, the full IP must be forwarded because the kernel firewall cannot use anonymized IP addresses. Note that this is an optional feature and it is not enabled by default.
Dear plugin producers,
this sounds good and you really seem to care about this important topic.
You stated that you do not store data from my visitors, but does this mean, zero data is sent to your servers (for example to check “hostile known” IPs or any other data) just like other protection plugins do?
Thanks for an answer.
Yes, I confirm that no private data is sent to us and your customers data does not leave your server (IP addresses, traffic & statistics, logs etc). Everything is stored in your
wp-content/nfwlog/folder only and no one but you has access to it.
- The topic ‘NinjaFirewall and the General Data Protection Regulation (GDPR).’ is closed to new replies.