Save 15% with code 
Firewall & Patterns
String-matching firewall with 600+ patterns, input normalization pipeline, and 5 scan categories. Per-pattern toggles, custom patterns, hit tracking, and response codes.
Last updated Feb 22, 2026
Overview
The ArmorPro firewall is a request-level filter that inspects every incoming HTTP request and blocks those that match known malicious patterns. It runs inside WordPress on every page load, checking the request URI, query string, user agent, referrer, and IP address against its pattern database.
Unlike regex-based firewalls, ArmorPro uses stripos string matching for pattern detection. This approach is significantly faster and eliminates the risk of ReDoS (Regular Expression Denial of Service) attacks that can be used against regex-based firewalls.
Master toggle
The firewall is controlled by a master toggle at the top of the Firewall tab. When disabled, no requests are inspected or blocked. All firewall settings and the pattern manager are hidden until the toggle is enabled.
How it works
On every request, the firewall checks the following components against all enabled patterns:
- The request URI is checked against Request URI and IP Address patterns
- The query string is checked against Query String patterns
- The user agent header is checked against User Agent patterns
- The referrer header is checked against Referrer patterns
If any pattern matches, the request is immediately blocked with the configured response code. The block is logged in the firewall log with the matched pattern and request details.
Input normalization
Before pattern matching, ArmorPro normalizes every request field through a multi-step pipeline. This prevents attackers from bypassing patterns by encoding their payloads in different ways. The normalization runs automatically on every request with zero configuration.
| Step | What it does | Evasion it prevents |
|---|---|---|
| URL decoding | Double rawurldecode() to catch double-encoded payloads | %65val or %2565val becoming eval |
| HTML entity decoding | Decodes 30 named HTML entities plus all numeric entities (e, e) | eval( becoming eval( |
| Hex escape decoding | Converts \x41 style hex escapes to their ASCII character | \x65val becoming eval |
| Octal escape decoding | Converts \101 style octal escapes to their ASCII character | \145val becoming eval |
| Unicode escape decoding | Converts %u0041, \u0041, and \u{41} formats | %u0065val becoming eval |
| SQL comment stripping | Removes inline SQL comments (/* */) used to break up keywords | ev/**/al becoming eval, un/*x*/ion becoming union |
| Concatenation removal | Removes string concatenation operators between quotes ('+', '.') | 'ev'+'al' becoming 'eval' |
| Null byte stripping | Removes \x00 and %00 null bytes | Null byte injection to truncate strings or bypass filters |
All normalization steps run in sequence, so combined evasion techniques (for example, HTML-encoding a hex escape) are also caught. The normalized value is only used for pattern matching; the original request is preserved for logging.
Built-in patterns
ArmorPro ships with over 600 built-in patterns across five categories:
| Category | What it blocks | Examples |
|---|---|---|
| Request URI | Dangerous paths, shell files, exploit paths | wp-config.php, .env, shell.php |
| Query String | SQL injection, malicious parameters | UNION SELECT, eval(, base64_decode |
| User Agent | 120+ known scanners, scrapers, attack tools | sqlmap, nikto, masscan |
| Referrer | Spam referrers | Known referrer spam domains |
| IP Address | Known malicious IP patterns | Commonly abused IP ranges |
Pattern matching modes
Each pattern uses one of three matching modes:
- contains — Matches if the pattern string appears anywhere in the checked value (substring match)
- endswith — Matches if the checked value ends with the pattern string (suffix match)
- contains_path — Matches against the URI path component only, ignoring query strings
Pattern manager
The pattern manager is the main interface for viewing and controlling firewall patterns. It is located in the Firewall tab below the master toggle.
Pattern table
Each pattern is displayed in a table row with the following columns:
- Enabled — Toggle switch to enable or disable the individual pattern
- Category — Which request component the pattern checks (Request URI, Query String, User Agent, Referrer, IP Address)
- Pattern — The actual string being matched against
- Description — A brief explanation of what the pattern blocks
- Hits — The number of times this pattern has matched and blocked a request
Filtering and management
Use the category filter dropdown to view patterns from a specific category. You can enable or disable individual patterns without affecting others. The Reset Hit Counters button clears all hit counts back to zero.
Custom patterns
You can add your own patterns to extend the firewall beyond the built-in set. Custom patterns use the same string matching engine as built-in patterns.
To add a custom pattern:
- Find the Add Custom Pattern form in the Firewall tab
- Select a Category (Request URI, Query String, User Agent, Referrer, or IP Address)
- Enter the Pattern string to match
- Add a Description explaining what it blocks
- Click Add Pattern
Custom patterns can be toggled on and off or deleted entirely. Built-in patterns can be toggled but not deleted.
Important
Patterns use string matching (stripos), not regular expressions. A pattern of eval( will match any request containing that exact substring. This is intentional: it prevents ReDoS attacks and keeps pattern matching fast, but it means patterns match substrings anywhere in the checked value.
Firewall settings
Request length limit
Block requests with an unusually large URI or query string. This can prevent certain buffer overflow and injection attacks that rely on oversized payloads. Disabled by default.
Skip logged-in users
When enabled, authenticated WordPress users bypass the firewall entirely. This is off by default. Enable it if the firewall is causing false positives for your logged-in administrators or editors.
Auto-blacklist threshold
IPs that trigger the firewall repeatedly can be automatically added to the permanent blacklist. Options: disabled (default), 3, 5, 10, 15, or 20 firewall hits. When triggered, the IP is added to the Access Control blacklist.
Response code
Choose which HTTP response code is returned to blocked requests:
- 403 Forbidden — Standard denial response. The visitor sees an error page.
- 410 Gone — Tells the requester the resource is permanently gone. Can discourage further scanning.
- 444 Connection Closed — Drops the connection without sending any response body. The most aggressive option, giving attackers no information at all.
Firewall log
Every blocked request is recorded in the firewall log, accessible from the Firewall tab. The log shows:
| Column | Description |
|---|---|
| IP | The blocked IP address |
| Country | Country of origin based on GeoIP lookup |
| Matched Rule | The specific pattern that triggered the block |
| Request Info | The URI, query string, and HTTP method of the blocked request |
| Time | When the block occurred |
| Actions | Whitelist or blacklist the IP |
The log can be exported as a CSV file. Log retention is 7 days on the free tier and 90 days on Pro.
Custom block page
When a request is blocked by the firewall (using 403 or 410 response codes), ArmorPro renders a custom block page informing the visitor that their request was denied. The page is clean, branded, and does not reveal which specific pattern was matched.
Tip
If you see false positives in the firewall log (legitimate requests being blocked), disable the specific pattern causing the issue rather than turning off the entire firewall. Use the category filter to quickly find the pattern, then toggle it off.
Enhanced firewall
The standard firewall runs inside WordPress after PHP and WordPress have fully loaded. For maximum protection, ArmorPro also offers an Enhanced Firewall (WAF) that runs at the PHP engine level before WordPress loads, blocking malicious requests even earlier in the request lifecycle.