WordPress Firewall 2

You need to protect your WordPress site from malicious requests, and using WordPress Firewall 2 is a good way of doing this.

Plugin Page: http://wordpress.org/extend/plugins/wordpress-firewall-2/

Why WordPress Firewall 2 Is Important

A commonly used way for hackers to try to gain access to your site is by embedding malicious code in requests to your site.

As an example a hacker might embed code to add an administrator user to the database in a request from the internet. This is also known as a SQL Injection Attack.

The WordPress Firewall 2 plugin will stop these types of attacks.

How You Complete This Security Checkpoint

Follow these steps:

  • Add and Activate the plugin.

  • The default settings will work for most sites.
    Default Settings

  • Optional: Turn off email notifications.
    Whenever the Firewall stops an attack it will send you an email with details of the attack.
    Warning Email

    If you repeatedly get attacked from a particular IP address you can block access to your site from this IP address. Hackers usually disguise their real IP addresses and run automated attacks using other peoples computers, so in our opinion blocking IP addresses has little value.
    See how to block an IP address from your site: Block IP Address.

    If you do not want to receive notification emails from your Firewall enter a blank address and click Set Email.
    Enter Blank Email

  • Optional: Whitelist your own IP address.
    If you edit certain settings or files on your site the Firewall might think it’s an attack. For example this can happen if you edit your theme files via the WordPress administration panel. If that happens you will be redirected to the home page when you try to save the file.
    You can disable the Firewall temporarily. Or you can whitelist your own IP address.
    This only works well if you have a fixed IP address.
    Whilelist IP

  • Tip! If you use the W3Total Cache plugin we recommend you add w3tc_referrer as a whitelist form variable.
    Whitelist w3tc referrer


We recommend that you use both WordPress Firewall 2 and Block Bad Queries as they protect against different types of attacks.

You might also wan to consider the Sucuri WordPress Security Plugin, which has a very good Web Application Firewall and some great monitoring options.

Further Resources

whiterabbitFollow The White Rabbit

[gn_spoiler title="Click Here" open="0" style="1"]Are you reading this article as a part of the Interactive Version of The WordPress Security Checklist?

Then you can find your next article below.

If not you should take a look at the Table Of Contents.

Next article: Block Bad Queries
Previous article: Update Notifications[/gn_spoiler]

Questions Or Comments?

Please leave them below. Thanks!

About Anders Vinther

Anders is on a mission to make it easy for you to secure your WordPress.

Let's make it harder for the bad guys!

Want More?

Sign up for our newsletter and we'll let you know when we have got new stuff about WordPress Security for you. See past emails.

Most Popular Articles – All Time

Most Popular Articles – This Week

Speak Your Mind

   Login Using:


To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax