🛡 Firewall & WAF
WordPress Application Firewall with security hardening, HTTP security headers, and configurable rate limiting. Block attacks at the application layer before they reach your site.
See It in Action
Explore the admin interface — click any screenshot to zoom
What This Solves
WordPress sites face constant attacks: SQL injection, cross-site scripting, file inclusion, and brute-force probes. Without a firewall, every request reaches your application layer unchecked. VistoShield Firewall blocks malicious requests before they execute, hardens your WordPress configuration, and adds security headers that browsers enforce.
Who This Module Is For
Site Owners Worried About Injections
SQL injection and XSS are the top two attack vectors on WordPress. The WAF blocks both at the application layer so you can sleep at night knowing your content and database are protected.
WooCommerce Sites Handling Payments
Payment pages are high-value targets. A web application firewall adds a critical layer of defense between your checkout flow and the attackers trying to exploit it.
Developers Who Want Hardening Without Server Access
No SSH required. The 14-point hardening checklist and HTTP security headers are applied at the PHP level, so you get server-grade protection on any shared or managed host.
Key Features
WAF Rules
7 rule categories covering SQL injection, cross-site scripting (XSS), local file inclusion (LFI), remote file inclusion (RFI), remote code execution (RCE), scanner detection, and comment spam.
Learning Mode
Enable learning mode to detect and log threats without blocking any requests. Review what the WAF would have blocked before switching to active protection.
Security Hardening
14-point hardening checklist including disable XML-RPC, hide WordPress version, block author enumeration, disable file editing, and restrict REST API access.
HTTP Security Headers
Configure HSTS, X-Frame-Options, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin headers from one interface.
Event Logging
Detailed WAF event log showing every blocked or flagged request with severity level, matched rule, request URI, IP address, and timestamp.
Server Integration
Syncs blocked IPs with the VistoShield Linux daemon for server-level firewall blocking. Attacks blocked at the WordPress layer get escalated to nftables/iptables.
WAF Modes & Rule Categories
The Web Application Firewall operates in three modes: Disabled, Learning, and Active. Learning mode is the recommended starting point — it logs every rule match without blocking traffic, letting you identify false positives before enabling enforcement.
7 Rule Categories
- SQL Injection (SQLi) — blocks union-based, error-based, and blind injection attempts in query strings, POST data, and cookies
- Cross-Site Scripting (XSS) — filters inline scripts, event handlers, and encoded payloads in user input
- Local File Inclusion (LFI) — prevents path traversal attacks targeting
/etc/passwd,wp-config.php, and similar files - Remote File Inclusion (RFI) — blocks attempts to include external PHP files via URL parameters
- Remote Code Execution (RCE) — detects command injection attempts using
system(),exec(),passthru() - Scanner Detection — identifies automated vulnerability scanners by their request patterns and user agents
- Comment Spam — blocks spam bots targeting
wp-comments-post.phpwithout proper referrer headers
14-Point Hardening Checklist
- Disable XML-RPC completely
- Hide WordPress version from source
- Block author enumeration (
?author=N) - Disable file editing in admin
- Restrict REST API to authenticated users
- Remove Windows Live Writer manifest
- Remove RSD/EditURI link
- Disable RSS/Atom feeds (optional)
- Block PHP execution in uploads directory
- Protect
wp-config.phpaccess - Disable directory browsing
- Remove version query strings from assets
- Block access to sensitive files (
.htaccess,readme.html) - Force secure cookies on HTTPS sites
HTTP Security Headers
Security headers are the first line of defense against browser-based attacks. The Firewall plugin lets you configure all major security headers from a single settings page, with sensible defaults and the ability to customize each directive.
Headers are applied at the PHP level, so they work on any hosting environment without requiring access to server configuration files. Each header includes a description of what it does and recommended values for WordPress sites.
Why Upgrade Firewall to Pro
Free gives you real-time WAF protection. Pro adds long-term attack visibility — see which attack patterns target your site over weeks and months, not just the last 7 days. Automated PDF reports document your security posture for stakeholders or clients. Priority support means faster help when you need to fine-tune rules for a complex site. See this data in your cloud dashboard — alongside all your other sites.
Free vs Pro
Keep full WAF protection for free. Pro adds long-term attack visibility, automated reporting, and priority support for business-critical sites.
| Feature | Free | Pro |
|---|---|---|
| WAF rules (7 categories) | ✓ | ✓ |
| Security hardening | ✓ 14-point | ✓ 14-point |
| HTTP security headers | ✓ | ✓ |
| WAF event history | 7 days | Up to 10 years |
| PDF security reports | ✗ | ✓ Weekly |
| Priority support | Community | 24h email |
| €0 forever | €79 /year (10 sites) — €6.50/mo | |
| Included Free | Start Free Trial No credit card required |
All Pro features included in the Pro plan at €79/year (10 sites). Managing client sites? See Agency plan →
Ready to Protect Your WordPress Site?
Install Firewall & WAF from the WordPress plugin directory and enable protection in minutes.
Get Started Free See All Plans →