A true web application firewall for WordPress.
|Author:||The Ninja Technologies Network (profile at wordpress.org)|
|WordPress version required:||3.3.0|
|WordPress version tested:||4.9.6|
|Added to WordPress repository:||30-03-2013|
|Total downloads:||285 284|
|Active installs:||20 000+|
Click to start download
File Guard: this is a totally unique feature, because it can detect, in real-time, any access to a PHP file that was recently modified or created, and alert you about this.
File Check: lets you perform file integrity monitoring upon request or on a specific interval (hourly, twicedaily, daily).
Security rules updates.
Statistics and benchmarks page.
Policies pages: NinjaFirewall has a large list of powerful and unique policies that you can tweak accordingly to your needs.
Event notifications can alert you by email on specific events triggered within your blog.
Login page protection: the fastest and most efficient brute-force attack protection for WordPress.
Live Log: lets you watch your website traffic in real time. It is fast, light and it does not affect your server load.
ninjafirewallfolder to the
- Activate the plugin through the ‘Plugins’ menu in WordPress.
- Plugin settings are located in ‘NinjaFirewall’ menu.
Why is NinjaFirewall different from other security plugins for WordPress ?
NinjaFirewall sits between the attacker and WordPress. It can filter requests before they reach your blog and any of its plugins. This is how it works :
Visitor -> HTTP server -> PHP -> NinjaFirewall #1 -> WordPress -> NinjaFirewall #2 -> Plugins & Themes -> WordPress exit -> NinjaFirewall #3
And this is how all WordPress plugins work :
Visitor > HTTP server > PHP > WordPress > Plugins -> WordPress exit
Unlike other security plugins, it will protect all PHP scripts, including those that aren’t part of the WordPress package.
How powerful is NinjaFirewall?
NinjaFirewall includes a very powerful filtering engine which can detect Web Application Firewall evasion techniques and obfuscation tactics used by hackers, as well as support and decode a large set of encodings. See our blog for a full description: An introduction to NinjaFirewall 3.0 filtering engine.
Do I need root privileges to install NinjaFirewall ?
NinjaFirewall does not require any root privilege and is fully compatible with shared hosting accounts. You can install it from your WordPress admin console, just like a regular plugin.
Does it work with Nginx ?
NinjaFirewall works with Nginx and others Unix-based HTTP servers (Apache, LiteSpeed etc). Its installer will detect it.
Do I need to alter my PHP scripts ?
You do not need to make any modifications to your scripts. NinjaFirewall hooks all requests before they reach your scripts. It will even work with encoded scripts (ionCube, ZendGuard, SourceGuardian etc).
I moved my wp-config.php file to another directory. Will it work with NinjaFirewall ?
NinjaFirewall will look for the wp-config.php script in the current folder or, if it cannot find it, in the parent folder.
Will NinjaFirewall detect the correct IP of my visitors if I am behind a CDN service like Cloudflare ?
You can use an optional configuration file to tell NinjaFirewall which IP to use. Please follow these steps.
Will it slow down my site ?
Your visitors will not notice any difference with or without NinjaFirewall. From WordPress administration console, you can click “NinjaFirewall > Status” menu to see the benchmarks and statistics (the fastest, slowest and average time per request). NinjaFirewall is very fast, optimised, compact, requires very low system resources and outperforms all other security plugins.
By blocking dangerous requests and bots before WordPress is loaded, it will save bandwidth and reduce server load.
Is there any Microsoft Windows version ?
NinjaFirewall works on Unix-like servers only. There is no Microsoft Windows version and we do not expect to release any.
- Fixed potential “session_status()” error with old PHP installations.
- Added the “Referrer-Policy” header (see “Firewall Policies > Advanced Policies > HTTP response headers”).
- Added the “418 I’m a teapot” HTTP error code (see “Firewall Options > HTTP error code to return”).
- Modified how PHP sessions were handled in order to prevent conflicts with third-party applications that may attempt to start a session without checking if one was already started (e.g., Piwik/Zend Framework, phpMyadmin).
- Added more options to the X-XSS-Protection header; it can be set to “0”, “1”, “1; mode=block” or disabled (see “Firewall Policies > Advanced Policies > HTTP response headers”).
- [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.
- Minor fixes.