Support » Plugin: NinjaFirewall (WP Edition) » NinjaFirewall and the General Data Protection Regulation (GDPR).

  • ResolvedPlugin Author nintechnet

    (@nintechnet)



    For a full version of this article covering all NinjaFirewall versions/editions, please consult: https://blog.nintechnet.com/ninjafirewall-general-data-protection-regulation-compliance/

    NinjaFirewall (WP Edition) is compliant with the General Data Protection Regulation (GDPR) which will take effect on May 25, 2018. It is required because, as a firewall, it saves IP addresses to a log which is stored on your server. Note that we, NinTechNet – the authors, do not collect any private data from your visitors and do not have access to your logs.

    In order to be compliant, NinjaFirewall offers two different options: Automatic log deletion or IP anonymisation.

    Automatic deletion of old log files

    Available since version 3.6.2, it is disabled by default. It can be configured from the “NinjaFirewall > Firewall Log” page:

    I recommend to keep the firewall logs for at least a month or, better, 45 days before deleting them. If there were security issues with your website, you could consult them for digital forensic purposes.
    NinjaFirewall doesn’t save its logs in the database, instead they are all stored on disk, inside the wp-content/nfwlog/ folder:

    IP anonymization

    Disabled by default, this option is available in the “NinjaFirewall > Firewall Options” page:

    It will anonymize IP addresses (IPv4 and IPv6) by replacing their last 3 characters with the x character. Here’s an example of an anonymized IP in the firewall log:

    03/Apr/18 20:03:05  #4835755  CRITICAL  2  90.142.231.xxx  GET /index.php - GET /wp-admin/admin-ajax.php - Unrestricted file upload - [GET:client_action = get_captions_css]
    

    As indicated, this option does not apply to:

    • Private IP addresses: There is no need to anonymize them, they aren’t routable.
    • The “Login Protection”: It refers to the “Write the incident to the server Authentication log” feature from the brute-force attack protection which is used to forward the offender’s IP to the server authentication log in order to block it at the server level, usually via a third-party application such as Fail2Ban. For obvious reasons, the full IP must be forwarded because the kernel firewall cannot use anonymized IP addresses. Note that this is an optional feature and it is not enabled by default.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Ulf

    (@wppraesenz)

    Dear plugin producers,
    this sounds good and you really seem to care about this important topic.
    You stated that you do not store data from my visitors, but does this mean, zero data is sent to your servers (for example to check “hostile known” IPs or any other data) just like other protection plugins do?
    Thanks for an answer.
    Best wishes

    Plugin Author nintechnet

    (@nintechnet)

    Hi,

    Yes, I confirm that no private data is sent to us and your customers data does not leave your server (IP addresses, traffic & statistics, logs etc). Everything is stored in your wp-content/nfwlog/ folder only and no one but you has access to it.

    Ulf

    (@wppraesenz)

    Thank you very much for this clarification, which is very important for GDPR conformity. I would recommend to put that into the text. 🙂
    I will use it now.
    Best wishes and furtherly success!

    • This reply was modified 6 months ago by  Ulf.
    • This reply was modified 6 months ago by  Ulf.
    speedpress

    (@speedpress)

    That is an other reason why you develope the very best security plugin that exist.

    Security, Performence & Privacy. Thats what we need and you gave us. Thank you for your all.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.