Firewall & Rule Management
8G Firewall with 138 rules across 6 categories. Per-rule enable/disable, auto-blacklist, and detailed logging.
Last updated Feb 10, 2026
What the firewall does
ArmorPro includes a full 8G Firewall based on Jeff Starr's open-source 8G Firewall. It inspects incoming requests and blocks those that match known attack patterns. The firewall runs at the plugins_loaded hook with the earliest priority, so malicious requests are stopped before WordPress fully loads.
Rule categories
Go to ArmorPro → Firewall to see the master toggle and category-level controls. The firewall includes 138 individual rules organized into 6 categories:
| Category | Rules | What it blocks |
|---|---|---|
| Bad Methods | 5 | Dangerous HTTP methods: CONNECT, DEBUG, MOVE, TRACE, TRACK |
| Bad Query Strings | 43 | SQL injection, path traversal, code execution, null bytes, exploit signatures |
| Bad Request URIs | 43 | Shell files, backdoors, config file access, dangerous extensions, exploit paths |
| Bad User Agents | 42 | Scanners (Nmap, Nikto, WPScan), scrapers, malicious bots, suspicious HTTP libraries |
| Bad Referrers | 4 | Spam referrers (semalt, darodar) and pharma/gambling spam domains |
| Bad Cookies | 1 | Malicious characters in cookie values (null bytes, CRLF injection). Off by default. |
Each category has its own toggle so you can enable or disable entire groups at once. The Bad Cookies rule is disabled by default since it can cause false positives with some caching plugins.
Rule Management
The Rule Management card on the Firewall tab gives you granular control over every individual rule.
Filtering and searching
- Category filter buttons: All, Methods, Cookies, Query Strings, Request URIs, User Agents, Referrers
- Search: Find rules by ID (e.g.
qs_12) or description - Disabled only: Checkbox to show only rules you've turned off
Toggling rules
Each rule shows its ID, a human-readable description of what it blocks, and a toggle switch. Flip the toggle to instantly enable or disable that rule. A summary at the top shows the count of active vs. disabled rules.
Rule ID format
Rules follow a consistent naming pattern:
method_connect,method_trace— HTTP method rulesqs_01throughqs_43— Query string patternsuri_01throughuri_43— Request URI patternsua_01throughua_42— User agent rulesref_01throughref_04— Referrer rulescookie_01— Cookie value rule
Firewall stats
The stats card at the top of the Firewall tab shows:
- Total Firewall Blocks — Across all rules
- Bad Query Strings — Count of query string rule matches
- Bad Request URIs — Count of URI rule matches
- Bad Request Methods — Count of method rule matches
- Bad Cookies — Count of cookie matches (shown only when the cookie rule is enabled)
Firewall log
The log at the bottom of the Firewall tab shows every blocked request. Filter by rule category using the tabs: All, Query Strings, Request URIs, Methods, User Agents, Referrers, Cookies.
Each entry shows:
- Time: When the request was blocked
- IP Address: Source of the request with country flag
- Rule Triggered: Which rule category matched
- Request: The URL and parameters that were blocked
Use Clear Log to remove all entries or Export CSV to download for analysis.
XML-RPC and REST API
XML-RPC blocking
Blocks all requests to xmlrpc.php. XML-RPC is an older remote publishing protocol frequently abused for brute force and DDoS amplification attacks.
Keep enabled unless you use:
- Jetpack (requires XML-RPC)
- WordPress mobile app
- Specific plugins that depend on XML-RPC
REST API protection
Requires authentication for REST API user enumeration endpoints. Prevents attackers from discovering valid usernames via /wp-json/wp/v2/users.
Recommendation: Keep enabled.
False positives
Sometimes legitimate requests match a rule. Common causes:
- Plugin conflicts: Some plugins use unusual request patterns that trigger query string or URI rules
- Form submissions: User content that accidentally matches SQL injection or script patterns
- API integrations: Third-party services with unusual user agents or request formats
To resolve false positives:
- Check the firewall log to identify the exact rule ID that triggered (e.g.
qs_12) - Go to Rule Management and search for that rule ID
- Disable the specific rule — this is safer than disabling the entire category
- Alternatively, whitelist the IP if it's a trusted source
Tip
Use the "Disabled only" checkbox in Rule Management to quickly review all rules you've turned off and re-enable them if needed.
Auto-blacklist
Automatically blacklist IPs that repeatedly trigger firewall rules within a time window.
Go to ArmorPro → Firewall and configure:
- Threshold: Number of firewall blocks before auto-blacklisting (10, 15, 25, or 50 hits)
- Time window: Period in which blocks are counted (30 minutes, 1 hour, 2 hours, or 6 hours)
For example, setting 25 hits within 1 hour means any IP that triggers 25 firewall blocks in a 1-hour window gets permanently blacklisted. Auto-blacklisted IPs appear in the Access Control blacklist with a note like "Auto: 5 blocks" and an expiration date.
Performance
The firewall is optimized for minimal performance impact:
- Pattern arrays are lazy-loaded once per request
- Input length checks prevent expensive regex on oversized inputs (4000 char limit for URIs/queries)
- Server IP detection is cached to skip self-requests (wp-cron, loopback)
- WordPress admin, AJAX, and login pages are fast-path excluded