Firewall & Rule Management

8G Firewall with 138 rules across 6 categories. Per-rule enable/disable, auto-blacklist, and detailed logging.

Last updated Feb 10, 2026

What the firewall does

ArmorPro includes a full 8G Firewall based on Jeff Starr's open-source 8G Firewall. It inspects incoming requests and blocks those that match known attack patterns. The firewall runs at the plugins_loaded hook with the earliest priority, so malicious requests are stopped before WordPress fully loads.

Rule categories

Go to ArmorPro → Firewall to see the master toggle and category-level controls. The firewall includes 138 individual rules organized into 6 categories:

CategoryRulesWhat it blocks
Bad Methods5Dangerous HTTP methods: CONNECT, DEBUG, MOVE, TRACE, TRACK
Bad Query Strings43SQL injection, path traversal, code execution, null bytes, exploit signatures
Bad Request URIs43Shell files, backdoors, config file access, dangerous extensions, exploit paths
Bad User Agents42Scanners (Nmap, Nikto, WPScan), scrapers, malicious bots, suspicious HTTP libraries
Bad Referrers4Spam referrers (semalt, darodar) and pharma/gambling spam domains
Bad Cookies1Malicious characters in cookie values (null bytes, CRLF injection). Off by default.

Each category has its own toggle so you can enable or disable entire groups at once. The Bad Cookies rule is disabled by default since it can cause false positives with some caching plugins.

Rule Management

The Rule Management card on the Firewall tab gives you granular control over every individual rule.

Filtering and searching

  • Category filter buttons: All, Methods, Cookies, Query Strings, Request URIs, User Agents, Referrers
  • Search: Find rules by ID (e.g. qs_12) or description
  • Disabled only: Checkbox to show only rules you've turned off

Toggling rules

Each rule shows its ID, a human-readable description of what it blocks, and a toggle switch. Flip the toggle to instantly enable or disable that rule. A summary at the top shows the count of active vs. disabled rules.

Rule ID format

Rules follow a consistent naming pattern:

  • method_connect, method_trace — HTTP method rules
  • qs_01 through qs_43 — Query string patterns
  • uri_01 through uri_43 — Request URI patterns
  • ua_01 through ua_42 — User agent rules
  • ref_01 through ref_04 — Referrer rules
  • cookie_01 — Cookie value rule

Firewall stats

The stats card at the top of the Firewall tab shows:

  • Total Firewall Blocks — Across all rules
  • Bad Query Strings — Count of query string rule matches
  • Bad Request URIs — Count of URI rule matches
  • Bad Request Methods — Count of method rule matches
  • Bad Cookies — Count of cookie matches (shown only when the cookie rule is enabled)

Firewall log

The log at the bottom of the Firewall tab shows every blocked request. Filter by rule category using the tabs: All, Query Strings, Request URIs, Methods, User Agents, Referrers, Cookies.

Each entry shows:

  • Time: When the request was blocked
  • IP Address: Source of the request with country flag
  • Rule Triggered: Which rule category matched
  • Request: The URL and parameters that were blocked

Use Clear Log to remove all entries or Export CSV to download for analysis.

XML-RPC and REST API

XML-RPC blocking

Blocks all requests to xmlrpc.php. XML-RPC is an older remote publishing protocol frequently abused for brute force and DDoS amplification attacks.

Keep enabled unless you use:

  • Jetpack (requires XML-RPC)
  • WordPress mobile app
  • Specific plugins that depend on XML-RPC

REST API protection

Requires authentication for REST API user enumeration endpoints. Prevents attackers from discovering valid usernames via /wp-json/wp/v2/users.

Recommendation: Keep enabled.

False positives

Sometimes legitimate requests match a rule. Common causes:

  • Plugin conflicts: Some plugins use unusual request patterns that trigger query string or URI rules
  • Form submissions: User content that accidentally matches SQL injection or script patterns
  • API integrations: Third-party services with unusual user agents or request formats

To resolve false positives:

  1. Check the firewall log to identify the exact rule ID that triggered (e.g. qs_12)
  2. Go to Rule Management and search for that rule ID
  3. Disable the specific rule — this is safer than disabling the entire category
  4. Alternatively, whitelist the IP if it's a trusted source

Tip

Use the "Disabled only" checkbox in Rule Management to quickly review all rules you've turned off and re-enable them if needed.

Auto-blacklist

Automatically blacklist IPs that repeatedly trigger firewall rules within a time window.

Go to ArmorPro → Firewall and configure:

  • Threshold: Number of firewall blocks before auto-blacklisting (10, 15, 25, or 50 hits)
  • Time window: Period in which blocks are counted (30 minutes, 1 hour, 2 hours, or 6 hours)

For example, setting 25 hits within 1 hour means any IP that triggers 25 firewall blocks in a 1-hour window gets permanently blacklisted. Auto-blacklisted IPs appear in the Access Control blacklist with a note like "Auto: 5 blocks" and an expiration date.

Performance

The firewall is optimized for minimal performance impact:

  • Pattern arrays are lazy-loaded once per request
  • Input length checks prevent expensive regex on oversized inputs (4000 char limit for URIs/queries)
  • Server IP detection is cached to skip self-requests (wp-cron, loopback)
  • WordPress admin, AJAX, and login pages are fast-path excluded