NinjaFirewall : advanced firewall software for WordPress.

Shared Memory use

Access Control

Web Filter


Improved features


NinjaFirewall WP+ : the supercharged edition.

NinjaFirewall (WP+ Edition) is a supercharged edition of our Web Application Firewall. It adds many new exciting features and blazing fast performances to make it the fastest and most advanced security plugin for WordPress.

1. Shared Memory use

Although NinjaFirewall is already much faster than other WordPress plugins, the WP+ Edition brings its performance to a whole new level by using Unix shared memory in order to speed things up even more. This allows easier and faster inter-process communication between the firewall and the plugin part of NinjaFirewall and, because its data and configuration are stored in shared memory segments, the firewall does not need to connect to the database any more. This dramatically increases the processing speed (there is nothing faster than RAM), prevents blocking I/O and MySQL slow queries. On a very busy server like a multi-site network, the firewall processing speed will increase from 25% to 30%.

This option can be enabled from the "Firewall Options" menu:

This feature requires that PHP was compiled with the --enable-shmop parameter. If you want to know whether you server/site is compatible with it, download our test script, rename it to shmop.php, upload it to your WordPress site and call it from your browser.
If your server is not compatible (e.g., basic shared hosting account), you can still install and run NinjaFirewall as usual.

You can use it even if you have a site with a very small amount of memory available, because NinjaFirewall will require around 20KB of shared memory only.
The memory usage status will be visible from the "Overview" menu:

2. Access Control

Access Control is a powerful set of directives that can be used to allow or restrict access to your blog, depending on the User Role, IP, Geolocation, Requested URL, User-agent and visitors behavior (Rate Limiting). Those directives will be processed before the Firewall Policies and NinjaFirewall's built-in security rules. You can enable/disable firewall logging (Log event checkbox) for each access control directive separately.

  • Access Control main configuration allows you to whitelist WordPress users depending on their roles, to select the source IP (useful if your site is using a CDN or behind a reverse-proxy/load balancer), and the HTTP methods all directives should apply to:

  • Access Control can use geolocation to block visitors from specific countries. If you have a theme or a plugin that needs to know your visitors location, you can ask NinjaFirewall to append the country code to the PHP headers in the $_SERVER["NINJA_COUNTRY_CODE"] variable:

NinjaFirewall includes GeoLite data created by MaxMind, available from

    PHP code example to use in your theme or plugin to geolocate your visitors:

  • Access Control can be used to whitelist / blacklist an IP or a part of it. NinjaFirewall natively supports both IPv4 and IPv6 protocols:

  • Access Control, with its Rate-Limiting feature, can slow down aggressive bots, crawlers, web scrapers or even small HTTP attacks .
    Because it can block attackers before WordPress is loaded and can handle thousands of HTTP requests per second, NinjaFirewall will save precious bandwidth and reduce your server load.

  • URL Access Control:

  • Bots Access Control:

3. Web Filter

If NinjaFirewall can hook and scan incoming requests, the WP+ Edition can also hook the response body (i.e., the output of the HTML page right before it is sent to your visitors browser) and search it for some specific keywords. Such a filter can be useful to detect hacking or malware patterns injected into your HTML page (text strings, spam links, malicious JavaScript code), hackers shell script, redirections and even errors (PHP/MySQL errors). Some suggested keywords as well as a default list are included.
In the case of a positive detection, NinjaFirewall will not block the response body but will send you an alert by email. It can even attach the whole HTML source of the page for your review.

4. Antispam

NinjaFirewall (WP+ Edition) can protect your blog comment and registration forms against spam. The protection is totally transparent to your visitors and does not require any interaction: no CAPTCHA, no math puzzles or trivia questions. Extremely easy to activate, but powerful enough to make spam bots life as miserable as possible:

NinjaFirewall antispam feature works only with WordPress built-in comment and registration forms. If you are using third-party plugins to generate your forms, they will not be protected against spam.

5. Improved features

NinjaFirewall (WP+ Edition) makes it possible to allow uploads while rejecting potentially dangerous files: system files (.htaccess, .htpasswd. php.ini), scripts (bash/shell, PHP, Ruby, Perl/CGI, Python), C/C++ source code and Unix/Linux binary files (ELF). You can easily limit the size of each uploaded file too, without having to modify your PHP configuration:

The "Firewall Log" menu has been revamped too. You can disable the firewall log, delete the current log, enable log rotation based on the size of the file and, if any, view each rotated log separately. Filtering options are quickly accessible from checkboxes:

Click here to compare the WP and WP+ editions.

Rev.: 1.01 2014-03-25 : added "Firewall Log" screenshot.

© 2012-2015 NinTechNet
The Ninja Technologies Network