Firewall & WAF
WordPress Application Firewall with 7 rule categories, security hardening checklist, and HTTP security headers management.
WAF Rule Categories
The firewall inspects every incoming request and blocks those matching known attack patterns. Rules are organized into 7 categories:
| Category | Description | Example Patterns |
|---|---|---|
| SQL Injection (SQLi) | Detects attempts to inject SQL commands via input fields, URLs, and cookies | UNION SELECT, OR 1=1, DROP TABLE |
| Cross-Site Scripting (XSS) | Blocks injection of malicious JavaScript and HTML | <script>, onerror=, javascript: |
| Local File Inclusion (LFI) | Prevents path traversal attacks to read local files | ../../etc/passwd, php://filter |
| Remote File Inclusion (RFI) | Blocks attempts to include remote malicious files | http://evil.com/shell.php |
| Remote Code Execution (RCE) | Detects command injection and code execution attempts | ; cat /etc/passwd, eval( |
| Scanner Detection | Identifies automated vulnerability scanners | WPScan, sqlmap, Nikto, Nessus user agents |
| Comment Spam | Blocks spam bot comment submissions | Excessive links, known spam patterns, missing referrer |
Each category can be independently enabled or disabled from VistoShield → Firewall → Rules.
WAF Modes
| Mode | Behavior |
|---|---|
| Learning | Logs all matches but does not block any requests. Use this when first enabling the WAF to identify false positives. |
| Active | Blocks requests that match enabled rules and logs the event. |
| Disabled | WAF is completely off. No inspection occurs. |
Tip: Start in Learning mode for 1–2 weeks, review the logs for false positives, add any necessary whitelisting rules, then switch to Active mode.
Security Hardening Checklist
The hardening tab provides one-click toggles for common WordPress security measures:
| Hardening Rule | What It Does |
|---|---|
| Disable XML-RPC | Blocks xmlrpc.php to prevent brute force and DDoS amplification attacks |
| Disable file editing | Sets DISALLOW_FILE_EDIT to prevent plugin/theme editor access |
| Hide WordPress version | Removes the version meta tag and generator output |
| Block author enumeration | Prevents ?author=N user discovery scans |
| Disable directory listing | Adds index files to prevent directory browsing |
| Protect wp-config.php | Blocks direct access to the configuration file |
| Protect .htaccess | Blocks direct access to Apache configuration files |
| Block PHP in uploads | Prevents PHP execution in wp-content/uploads/ |
| Disable REST API for guests | Restricts REST API access to authenticated users |
Security Headers
Manage HTTP response headers from the Headers tab:
| Header | Default Value |
|---|---|
X-Content-Type-Options | nosniff |
X-Frame-Options | SAMEORIGIN |
X-XSS-Protection | 1; mode=block |
Referrer-Policy | strict-origin-when-cross-origin |
Permissions-Policy | Configurable per-feature |
Content-Security-Policy | Customizable via the CSP builder |
Strict-Transport-Security | max-age=31536000; includeSubDomains |
Warning: A misconfigured Content-Security-Policy can break your site's frontend. Use the CSP builder's "report-only" mode first to test before enforcing.
Whitelisting
If a WAF rule causes false positives, you can whitelist specific requests:
- By URL path — Exclude specific pages (e.g.,
/wp-admin/post.php) - By parameter — Exclude specific query/post parameters
- By IP — Exclude trusted IP addresses from WAF inspection
- By rule ID — Disable a specific rule for a specific URL
Firewall Logs
All blocked requests are logged in VistoShield → Firewall → Logs with:
- Timestamp, source IP, and country
- Request URI, method, and matched rule
- The specific payload that triggered the rule
- Action taken (blocked, logged, challenged)