Firewall & WAF — VistoShield

Key Features

🔥

WAF Rules

7 rule categories covering SQL injection, cross-site scripting (XSS), local file inclusion (LFI), remote file inclusion (RFI), remote code execution (RCE), scanner detection, and comment spam.

🎓

Learning Mode

Enable learning mode to detect and log threats without blocking any requests. Review what the WAF would have blocked before switching to active protection.

🔐

Security Hardening

14-point hardening checklist including disable XML-RPC, hide WordPress version, block author enumeration, disable file editing, and restrict REST API access.

📜

HTTP Security Headers

Configure HSTS, X-Frame-Options, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin headers from one interface.

📋

Event Logging

Detailed WAF event log showing every blocked or flagged request with severity level, matched rule, request URI, IP address, and timestamp.

🔗

Server Integration

Syncs blocked IPs with the VistoShield Linux daemon for server-level firewall blocking. Attacks blocked at the WordPress layer get escalated to nftables/iptables.

WAF Modes & Rule Categories

The Web Application Firewall operates in three modes: Disabled, Learning, and Active. Learning mode is the recommended starting point — it logs every rule match without blocking traffic, letting you identify false positives before enabling enforcement.

7 Rule Categories

SQL Injection (SQLi) — blocks union-based, error-based, and blind injection attempts in query strings, POST data, and cookies
Cross-Site Scripting (XSS) — filters inline scripts, event handlers, and encoded payloads in user input
Local File Inclusion (LFI) — prevents path traversal attacks targeting /etc/passwd, wp-config.php, and similar files
Remote File Inclusion (RFI) — blocks attempts to include external PHP files via URL parameters
Remote Code Execution (RCE) — detects command injection attempts using system(), exec(), passthru()
Scanner Detection — identifies automated vulnerability scanners by their request patterns and user agents
Comment Spam — blocks spam bots targeting wp-comments-post.php without proper referrer headers

14-Point Hardening Checklist

Disable XML-RPC completely
Hide WordPress version from source
Block author enumeration (?author=N)
Disable file editing in admin
Restrict REST API to authenticated users
Remove Windows Live Writer manifest
Remove RSD/EditURI link
Disable RSS/Atom feeds (optional)
Block PHP execution in uploads directory
Protect wp-config.php access
Disable directory browsing
Remove version query strings from assets
Block access to sensitive files (.htaccess, readme.html)
Force secure cookies on HTTPS sites

HTTP Security Headers

Security headers are the first line of defense against browser-based attacks. The Firewall plugin lets you configure all major security headers from a single settings page, with sensible defaults and the ability to customize each directive.

Headers are applied at the PHP level, so they work on any hosting environment without requiring access to server configuration files. Each header includes a description of what it does and recommended values for WordPress sites.

Feature	Free	Pro Bundle
WAF Rules	Standard	Premium rules + priority updates
Reporting	Basic stats	Weekly email + PDF export
Event History	7 days	Up to 10 years
Support	Community	Priority 24h
Updates	Standard	Priority + Early Access

🛡 Firewall & WAF

Key Features

WAF Rules

Learning Mode

Security Hardening

HTTP Security Headers

Event Logging

Server Integration

WAF Modes & Rule Categories

7 Rule Categories

14-Point Hardening Checklist

HTTP Security Headers

Screenshots

Free vs Pro

Ready to Protect Your WordPress Site?