WordPress Plugin & Theme Reviews
WordPress Firewall 2 Plugin Review: A Must-Have for your WP Blog

WordPress Firewall 2 Plugin Review: A Must-Have for your WP Blog

Product by:
pavy and seoegghead
Price:
Free

Reviewed by:
Rating:
4
On December 3, 2012
Last modified:April 29, 2013

Summary:

It's inevitable, hackers are everywhere and your blog will be attacked sooner or later. You need WordPress Firewall 2 plugin to avoid jeopardizing your WP blog

It’s inevitable, hackers are everywhere and your blog will be attacked sooner or later. Automatic bots are searching all the time WordPress sites that have security vulnerabilities.
You need a WordPress Firewall plugin to avoid jeopardizing your WP blog and this is why I’m doing this review to help you.

I addressed this issue from other entry point and also a problem, with the Limit Login Attempts plugin through your “front door”.

If you don’t have Firewall installed, perhaps you might even to not notice the issue, but be sure that these types of attacks are constants. If these attacks are successful, sorry my friend – your blog was injected with something nasty that will be generate an unpleasant headache :(

 

Firewall Versions Available

Today, there are two different free WordPress Firewalls: WordPress Firewall 2 plugin and WordPress Firewall plugin.

  • WordPress Firewall was the original plugin developed by seoegghead, and the latest update was on 2009.
  • WordPress Firewall 2 is an updated version of the popular WordPress Firewall plugin, with fixes for all known bugs and a few new features, but still the latest update was on 2010.

I took the most “recent” version, the WordPress Firewall 2 plugin and this is the one I’m using right now on my blogs.

As you’ve a Windows Firewall, a WordPress Firewall detects and blocks potential attacks.
This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop
the most obvious attacks.

Malicious attacks detected:

  • SQL injection attack detection
  • WordPress-specific SQL injection attack detection
  • Blocking executable file uploads
  • Remote arbitrary code injection detection
  • Directory traversal attack detection

I don’t bother to know each of them exactly and in-deep which type of attacks are, because I don’t want ANY of them here :)
The plugin responds with an inoffensive 404, or with a redirect to home page after those attacks.

 

WordPress Firewall 2 Plugin Settings

As you see in the screenshot below, there are displayed the security filters. At the first item, I leave exactly the same settings.

 

WordPress Firewall 2 Plugin Settings

 

I do activate the email address report. Why? Since it’s extremely important to know which IP is attacking and if it’s not from you or a known IP, you should ban this IP forever; this IP is NOT welcomed anymore.

 

WordPress Firewall 2 plugin - alert firewall wp email

 

Are there false positives?
Yes, eventually you can be blocked with your own IP! Sometimes when you’re touching something in your code or adding a javascript code, the firewall can be triggered blocking what you’re doing. Even more, one day when I was adding images via the Dashboard / media after certain time, the plugin started to block myself ;)

I didn’t know it until some minutes later when I started to see why I couldn’t enter more images, and I found the culprit, the firewall.

My recommendation is to enter your IP(s) and whitelist them. Then, the plugin will reject all the other IPs that are causing problems.

 

firewall whitelist ips

 

  • Static IPs, is easy, put them in “Whitelisted IPs”, save and you’re done.
  • Dynamic IPs, is the same method, but you need to refresh this data every time you’re doing an easy-trigger-plugin task.
    This is my case; I’ve dynamic IPs that change every 12 hours, therefore when I’ll do something that could trigger the plugin, I whitelist the IP I’ve at this moment.
    If I pass of 12 hours and still I’m using for something “fishy” for the plugin, I need to re-enter my new IP again. This is somewhat cumbersome, but really for me it doesn’t matter because, is a small price I need to pay to have a kick-everything firewall.

If you’re designing your blog, entering data in your WordPress theme or similar things, you can consider deactivating the plugin and re-active it later when you ended. Don’t forget to activate Firewall again!

I’m giving one star less on this review with Author Review Pro, because the Firewall 2 plugin should have an update (but, it still kicks off the bad guys!).
Also, there can be a bug when you try to whitelist an IP, but finally is added if you refresh the page and everything is fine:
“Warning: unserialize() expects parameter 1 to be string, array given in ….. wordpress-firewall-2.php on line …”
This is a long string; I cut off the initial portion for my own security ;)

Are you using WordPress Firewall 2 Plugin or you’ve installed the original old version?

 

 

Subscribed to Newsletter?

* indicates required


It's inevitable, hackers are everywhere and your blog will be attacked sooner or later. You need WordPress Firewall 2 plugin to avoid jeopardizing your WP blog
Click to download the Genesis Guide for Absolute Beginners

11 Responses to WordPress Firewall 2 Plugin Review: A Must-Have for your WP Blog

  1. Good review, Gera!

    I’d just like to mention, for those who run their blogs on their own VPS (especially unmanaged), the first line of defense is at the server level with setting up “iptables” and installing something like “Fail2Ban.” Then plugins like this one add another layer of protection but don’t have to work so hard with doing what should be handled before malicious bots and people arrive at the front door (or back door!).

    Also, Gera, have you seen Better WP Security (http://bit51.com/software/better-wp-security/)? I’m planning to test it on a new site. Looks pretty comprehensive. Maybe you’ll consider doing a review?
    Vernessa Taylor recently posted..Algie! Algy! (The Algorithm Poem)My Profile

    • Vernessa many thanks for feedback about adding more security. Totally agree that harder to bots, much better. It’s possible to add an extra layer with e.g. Cloudflare that not only improve the speed of the site via CDN, it also has an extra defense to online threats from spammers, SQL injections, etc.

      Regards to Better WP Security, at least the free version: http://wordpress.org/extend/plugins/better-wp-security/ I’ve read mixed results so far.
      It seems a complete plugin but in some case, touches too much, breaking the sites. Perhaps for a new installation is great, but for sites already installed it should be taken with caution.

      I have in my portfolio to review, or at least to test, to see how it goes:

      Wordfence Security
      Better WP Security
      BulletProof Security

      I’ve installed in a test site Wordfence Security and I’ll expose my results in future posts.
      Next, it’ll be Better WP Security.
      Nowadays, I’m reviewing some WordPress themes :)
      Gera recently posted..Stealth Login Page WordPress Plugin – Add a Security Layer to your WP SiteMy Profile

      • Hi Gera, it’s a really nifty review site you’ve put together here! :) I’ll be sure to check out some of your theme reviews.

        Yeah, I looked at WordFence plugin — the features and visited their forums to see what experiences people were reporting. Same with Better WP Security. You’re right to caution blog owners about new site vs. established sites. I’ve heard mixed reviews about it, too.

        I signed up for your WPuslsar news feed so I can keep up with your upcoming reviews. Security is a big deal for blog owners; since I manage a number of blogs for clients, I try to keep on top of this stuff for their sakes as well.

        Cheers!
        Vernessa Taylor recently posted..Algie! Algy! (The Algorithm Poem)My Profile

        • Hi Vernessa,

          Those complete – do it all – plugins can be a double edged sword for sites already established, so you should take sure steps as possible to manage the blogs of for clients but anyway, of course, they worth exploring more :)

          I’ve some WP themes in my agenda already installed and other comings, some massive posts WordPress related, assorted plugins and much more.

          Thanks a bunch for the signing up to WPulsar, this is my relatively new blog. I’ve plans to increase my posts here as soon as I’ve more time LOL, working on this point :)

          Have a great weekend coming soon!
          Gera recently posted..Stealth Login Page WordPress Plugin – Add a Security Layer to your WP SiteMy Profile

  2. Hey Gera,

    I thought you might be interested, since you review the WP Firewall 2 plugin, in our WordPress Simple Firewall plugin: http://wordpress.org/plugins/wp-simple-firewall/

    Basically we’ve written it to carry-on from where WPF2 left off, clean up some of the problems it had, and add effective, but non-intrusive protection for your sites.

    As you mentioned in the comments with the other security plugin, they can seriously impact an already running blog. Our plugin works similarly to WPF2 and can easily be added to any site at any time. And, you have the option to turn on individual features with granular controls.

    I’d be interested to hear what you think of it given you like WPF2.

    Thanks for your time!
    Cheers,
    Paul.
    Paul G. recently posted..How to add Growmap Anti-Spam Protection (G.A.S.P.) to the WordPress LoginMy Profile

  3. While surfing for WordPress firewall blogs i stumbled over here. I gone through your blog which is really interesting. I just started about firewall because that i came to know about web application firewall and saw this waf.comodo.com . What is your opinion about this one? What is difference between ordinary firewall and Web application firewall.

Leave a reply

CommentLuv badge

 

 

Comments Without a Real Name will be Deleted. Do not use just keywords in "Name" field.
Read previous post:
Login Admin No
Limit Login Attempts Review: Stop Brute Force Attacks to your Blog

Why do you need the Limit Login Attempts plugin? WordPress is a secure platform, but the case that follows, is...

Close