Enhanced Firewall (WAF)

Overview

The Enhanced Firewall (WAF) is a PHP-level firewall that runs before WordPress loads. While the standard firewall inspects requests inside WordPress after the full PHP and WordPress bootstrap, the Enhanced WAF intercepts requests at the earliest possible point in the PHP execution lifecycle.

This means malicious requests are blocked before WordPress core, plugins, themes, or the database are touched. The overhead is approximately 1ms per request, making it one of the fastest ways to protect your site.

Standard vs enhanced firewall

Both firewalls use the same pattern database, matching engine, and input normalization pipeline. The Enhanced WAF simply applies them earlier in the request lifecycle.

Server compatibility

ArmorPro auto-detects your server type during installation and configures the WAF accordingly:

Installation

Installing the Enhanced Firewall takes one click:

1. Navigate to ArmorPro → Firewall
2. Find the Enhanced Firewall card
3. Click Install

ArmorPro then performs the following steps automatically:

1. Auto-detects your server type (Apache, Nginx, LiteSpeed)
2. Creates the wp-content/armor-waf/ directory
3. Copies the firewall engine to armor-waf/firewall.php
4. Syncs patterns and settings to flat PHP files inside armor-waf/
5. Creates armor-waf.php bootstrap file in the WordPress root directory
6. Configures auto_prepend_file via .htaccess or .user.ini

WAF data files

The Enhanced WAF reads its configuration from flat PHP files instead of the WordPress database. This is what allows it to run before WordPress loads. The following files are maintained in wp-content/armor-waf/:

Auto-sync

Whenever you make changes in the WordPress admin that affect the WAF, ArmorPro automatically syncs the updated data to the flat files:

• Enable or disable a firewall pattern → patterns.php is updated
• Add or remove a custom pattern → patterns.php is updated
• Add or remove a whitelisted IP → whitelist.php is updated
• Add or remove a blacklisted IP → blacklist.php is updated
• Change firewall settings → settings.php is updated

This means you manage everything through the normal ArmorPro admin interface. The WAF data files stay in sync automatically.

Management controls

Once installed, the Enhanced Firewall card shows three management buttons:

• Verify — Tests whether the WAF is actively processing requests by checking for the ARMOR_WAF_ACTIVE constant. Returns a green confirmation or a warning if the WAF is not loading.
• Force Sync — Re-exports all configuration, patterns, whitelist, and blacklist data to the flat PHP files. Use this if you suspect the files are out of date.
• Remove — Uninstalls the WAF completely. Removes the armor-waf/ directory, the bootstrap file, and the auto_prepend_file directive from .htaccess or .user.ini.

Fail-open design

The Enhanced WAF is designed with a fail-open approach. If the WAF engine encounters any error during execution (missing files, corrupted data, PHP errors), the request is allowed through rather than blocked. This ensures that a WAF issue never takes your entire site offline.

The standard in-WordPress firewall remains active as a backup, so even if the WAF encounters an error, requests are still inspected once WordPress loads.

Manual configuration

If the automatic installation cannot configure auto_prepend_file (for example, on servers where .user.ini is not supported), you can configure it manually.

Add the following to your server's php.ini or PHP-FPM pool configuration:

auto_prepend_file = /path/to/your/wordpress/armor-waf.php

Replace the path with the full absolute path to the armor-waf.php file in your WordPress root directory. After making the change, restart PHP-FPM or your web server for the setting to take effect.