{"id":44457393,"url":"https://github.com/lwplugins/lw-firewall","last_synced_at":"2026-05-06T08:03:36.537Z","repository":{"id":338057305,"uuid":"1156370880","full_name":"lwplugins/lw-firewall","owner":"lwplugins","description":"Lightweight WordPress firewall — rate-limits endpoints, blocks bots, bans repeat offenders, and adds security headers","archived":false,"fork":false,"pushed_at":"2026-04-23T18:49:31.000Z","size":604,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-23T19:30:47.870Z","etag":null,"topics":["bot-protection","firewall","lightweight","rate-limiting","woocommerce","wordpress","wordpress-plugin"],"latest_commit_sha":null,"homepage":"https://lwplugins.com","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lwplugins.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":".github/FUNDING.yml","license":"license.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"custom":["https://sinann.io/"]}},"created_at":"2026-02-12T15:18:40.000Z","updated_at":"2026-04-23T18:49:34.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/lwplugins/lw-firewall","commit_stats":null,"previous_names":["lwplugins/lw-firewall"],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/lwplugins/lw-firewall","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lwplugins%2Flw-firewall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lwplugins%2Flw-firewall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lwplugins%2Flw-firewall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lwplugins%2Flw-firewall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lwplugins","download_url":"https://codeload.github.com/lwplugins/lw-firewall/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lwplugins%2Flw-firewall/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32616861,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-04T10:08:07.713Z","status":"ssl_error","status_checked_at":"2026-05-04T10:08:02.005Z","response_time":58,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bot-protection","firewall","lightweight","rate-limiting","woocommerce","wordpress","wordpress-plugin"],"created_at":"2026-02-12T18:03:13.381Z","updated_at":"2026-05-06T08:03:36.504Z","avatar_url":"https://github.com/lwplugins.png","language":"PHP","funding_links":["https://sinann.io/"],"categories":[],"sub_categories":[],"readme":"# LW Firewall\n\nLightweight WordPress firewall — rate-limits endpoints, blocks bots, bans repeat offenders, and adds security headers.\n\n[![PHP Version](https://img.shields.io/badge/PHP-8.1%2B-blue.svg)](https://php.net)\n[![WordPress Version](https://img.shields.io/badge/WordPress-6.0%2B-blue.svg)](https://wordpress.org)\n[![License](https://img.shields.io/badge/License-GPL%20v2-blue.svg)](https://www.gnu.org/licenses/gpl-2.0.html)\n\n![LW Firewall Settings](.github/screenshot.png)\n\n## The Problem\n\nBots brute-force `wp-login.php`, flood `wp-cron.php` and `xmlrpc.php`, crawl WooCommerce filter combinations, scan for vulnerabilities via 404s, and abuse the REST API — all generating thousands of uncacheable requests that overload your server.\n\n## How It Works\n\nLW Firewall installs an MU-plugin worker that intercepts requests **before WordPress fully loads**. The processing order:\n\n1. **IP Whitelist** — whitelisted IPs skip all checks\n2. **IP Blacklist** — blacklisted IPs get 403 immediately\n3. **Geo Blocking** — block entire countries (Cloudflare header or CIDR lookup)\n4. **Auto-Ban** — previously banned IPs get 403\n5. **404 Flood** — IPs with excessive 404s get 429\n6. **Bot Blocking** — User-Agent matching (all requests)\n7. **Endpoint Detection** — filter params, cron, xmlrpc, login, REST API\n8. **Rate Limiting** — per-IP counters with auto-ban escalation\n\n## Features\n\n### Endpoint Protection\n\n| Endpoint | Protection | Response |\n|----------|-----------|----------|\n| WooCommerce filters | Rate limit + bot blocking | 302 redirect or 429 |\n| `wp-login.php` | Brute-force rate limiting | 429 |\n| `wp-cron.php` | DDoS rate limiting | 429 |\n| `xmlrpc.php` | DDoS/brute-force rate limiting | 429 |\n| REST API (`/wp-json/`) | Rate limiting | 429 |\n| 404 flood | Vulnerability scanner blocking | 429 |\n\n### Bot Blocking\n\n- Block requests by User-Agent substring matching (case-insensitive)\n- 20+ known bad bots blocked by default (AhrefsBot, SemrushBot, DotBot, GPTBot, etc.)\n- Add/remove bot patterns via admin UI or WP-CLI\n\n### IP Whitelist / Blacklist\n\n- Manual IP allow/block lists\n- Supports individual IPs and CIDR ranges (e.g. `192.168.1.0/24`)\n- Whitelisted IPs bypass all firewall checks\n- Blacklisted IPs are always blocked with 403\n\n### Geo Blocking\n\n- Block visitors from specific countries by ISO 3166-1 alpha-2 code (e.g. CN, RU, IN)\n- **Cloudflare** — uses `CF-IPCountry` header (instant, zero-cost)\n- **Without Cloudflare** — CIDR-based lookup from local cache (weekly auto-update from ipdeny.com)\n- Fail-open: if no cache exists and no CF header is present, the request is not blocked\n- Configurable action: 403 Forbidden or redirect to homepage\n- Manual CIDR cache update via admin UI or WP-CLI\n\n### Auto-Ban\n\n- Automatically bans IPs that repeatedly exceed rate limits\n- Configurable threshold (default: 3 violations)\n- Configurable ban duration (default: 1 hour)\n- Escalating protection — casual users won't trigger it, persistent attackers get banned\n\n### Security Headers\n\nOne-click addition of security HTTP headers:\n\n- `X-Content-Type-Options: nosniff`\n- `X-Frame-Options: SAMEORIGIN`\n- `Referrer-Policy: strict-origin-when-cross-origin`\n- `Permissions-Policy: camera=(), microphone=(), geolocation=()`\n- `X-XSS-Protection: 1; mode=block`\n\n### Storage Backends\n\n| Backend | Speed | Persistence | Requirement |\n|---------|-------|-------------|-------------|\n| **APCu** | Fastest | Per-process | `apcu` extension |\n| **Redis** | Fast | Shared | `redis` extension + server |\n| **File** | Fallback | Disk-based | Always available |\n\nAuto-detection picks the best available backend.\n\n### MU-Plugin Worker\n\n- Loads on `muplugins_loaded` (priority 1) — before themes and plugins\n- Own autoloader — zero dependency on WordPress plugin system\n- Automatic install on activation, removal on deactivation\n- **Auto-update** — worker file is automatically replaced when its version doesn't match the plugin version\n\n### Cloudflare Support\n\n- Automatic real IP detection via `CF-Connecting-IP` header\n- Cloudflare IP range validation to prevent header spoofing\n\n### Request Logging\n\n- Optional logging of all blocked requests (time, IP, reason, User-Agent, URL)\n- Admin log viewer with table display\n- One-click log clearing\n\n## Installation\n\n**Via Composer:**\n\n```bash\ncomposer require lwplugins/lw-firewall\n```\n\n**Manual:**\n\n1. Download the latest release ZIP\n2. Upload to `/wp-content/plugins/`\n3. Activate in WordPress admin\n\n## Settings\n\nNavigate to **LW Plugins \u003e Firewall** in the admin panel.\n\n| Tab | Description |\n|-----|-------------|\n| **General** | Enable/disable, storage backend, rate limit, time window, action, filter params |\n| **Protection** | Endpoint toggles (cron, xmlrpc, login, REST API, 404) and auto-ban settings |\n| **Bots** | Manage blocked bot User-Agent patterns |\n| **IP Rules** | IP whitelist and blacklist (IPs and CIDR ranges) |\n| **Geo Blocking** | Country-based blocking with Cloudflare or CIDR fallback |\n| **Security** | HTTP security headers toggle |\n| **Status** | MU-plugin worker status, worker version, active storage backend, reinstall worker |\n| **Logs** | Enable logging, view blocked requests, clear log |\n| **Import / Export** | Export settings as JSON, import on another site |\n\n## WP-CLI Commands\n\n```bash\n# Show firewall status overview\nwp lw-firewall status\n\n# Configuration\nwp lw-firewall config list\nwp lw-firewall config set rate_limit 50\nwp lw-firewall config set storage redis\nwp lw-firewall config set protect_login true\nwp lw-firewall config set auto_ban_enabled true\nwp lw-firewall config reset --yes\n\n# Bot management\nwp lw-firewall bots list\nwp lw-firewall bots add \"BadBot/1.0\"\nwp lw-firewall bots remove \"BadBot/1.0\"\n\n# IP whitelist / blacklist\nwp lw-firewall ip list whitelist\nwp lw-firewall ip list blacklist\nwp lw-firewall ip add whitelist 192.168.1.100\nwp lw-firewall ip add blacklist 10.0.0.0/8\nwp lw-firewall ip remove whitelist 192.168.1.100\n\n# Geo blocking\nwp lw-firewall geo list\nwp lw-firewall geo add CN\nwp lw-firewall geo remove CN\nwp lw-firewall geo update\n\n# Log management\nwp lw-firewall logs list --limit=50\nwp lw-firewall logs clear --yes\n\n# MU-plugin worker\nwp lw-firewall worker install\nwp lw-firewall worker remove\n```\n\n## wp-config.php Overrides\n\nOverride any setting via constants (takes precedence over admin UI):\n\n```php\ndefine( 'LW_FIREWALL_ENABLED', true );\ndefine( 'LW_FIREWALL_STORAGE', 'apcu' );            // apcu, redis, file\ndefine( 'LW_FIREWALL_RATE_LIMIT', 30 );\ndefine( 'LW_FIREWALL_RATE_WINDOW', 60 );             // seconds\ndefine( 'LW_FIREWALL_ACTION', '429' );                // 429 or redirect\ndefine( 'LW_FIREWALL_PROTECT_CRON', true );\ndefine( 'LW_FIREWALL_PROTECT_XMLRPC', true );\ndefine( 'LW_FIREWALL_PROTECT_LOGIN', true );\ndefine( 'LW_FIREWALL_PROTECT_REST_API', false );\ndefine( 'LW_FIREWALL_PROTECT_404', false );\ndefine( 'LW_FIREWALL_AUTO_BAN_ENABLED', true );\ndefine( 'LW_FIREWALL_AUTO_BAN_THRESHOLD', 3 );\ndefine( 'LW_FIREWALL_AUTO_BAN_DURATION', 3600 );     // seconds\ndefine( 'LW_FIREWALL_SECURITY_HEADERS', true );\ndefine( 'LW_FIREWALL_LOG_ENABLED', false );\ndefine( 'LW_FIREWALL_GEO_ENABLED', true );\n```\n\n## Requirements\n\n- PHP 8.1 or higher\n- WordPress 6.0 or higher\n\n## Part of LW Plugins\n\nLW Firewall is part of the [LW Plugins](https://github.com/lwplugins) family — lightweight WordPress plugins with minimal footprint and maximum impact.\n\n| Plugin | Description |\n|--------|-------------|\n| [LW SEO](https://github.com/lwplugins/lw-seo) | Essential SEO features without the bloat |\n| [LW Disable](https://github.com/lwplugins/lw-disable) | Disable WordPress features |\n| [LW Enable](https://github.com/lwplugins/lw-enable) | Enable WordPress features like SVG uploads |\n| [LW ZenAdmin](https://github.com/lwplugins/lw-zenadmin) | Clean up your admin — notices sidebar \u0026 widget manager |\n| **LW Firewall** | Lightweight firewall — rate limiting, bot blocking, auto-ban |\n| [LW Cookie](https://github.com/lwplugins/lw-cookie) | GDPR-compliant cookie consent |\n| [LW LMS](https://github.com/lwplugins/lw-lms) | Lightweight LMS — courses, lessons, progress tracking |\n| [LW Translate](https://github.com/lwplugins/lw-translate) | Manage community translations from GitHub |\n| [LW Site Manager](https://github.com/lwplugins/lw-site-manager) | Site maintenance via AI/REST using Abilities API |\n\n## License\n\nGPL-2.0-or-later. See [LICENSE](https://www.gnu.org/licenses/gpl-2.0.html) for details.\n\n## Contributing\n\nContributions are welcome! Please feel free to submit a Pull Request.\n\n\n## Sponsor\n\n\u003ca href=\"https://sinann.io/\"\u003e\n  \u003cimg src=\"https://sinann.io/favicon.svg\" alt=\"Sinann\" width=\"40\"\u003e\n\u003c/a\u003e\n\nSupported by [Sinann](https://sinann.io/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flwplugins%2Flw-firewall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flwplugins%2Flw-firewall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flwplugins%2Flw-firewall/lists"}