WordPress Firewall 2 Plugin Review: A Must-Have for your WP Blog

Update: the plugin hasn’t been updated in several years, so I recommend using more advanced & updated plugins.

Some complete plugins can be:

It’s inevitable, hackers are everywhere and your blog will be attacked sooner or later. Automatic bots are searching all the time WordPress sites that have security vulnerabilities.
You need a WordPress Firewall plugin to avoid jeopardizing your WP blog and this is why I’m doing this review to help you.

I addressed this issue from other entry point and also a problem, with the Limit Login Attempts plugin through your “front door”.

If you don’t have Firewall installed, perhaps you might even to not notice the issue, but be sure that these types of attacks are constants. If these attacks are successful, sorry my friend – your blog was injected with something nasty that will be generate an unpleasant headache 🙁


Firewall Versions Available

Today, there are two different free WordPress Firewalls: WordPress Firewall 2 plugin and WordPress Firewall plugin.

  • WordPress Firewall was the original plugin developed by seoegghead, and the latest update was on 2009.
  • WordPress Firewall 2 is an updated version of the popular WordPress Firewall plugin, with fixes for all known bugs and a few new features, but still the latest update was on 2010.

I took the most “recent” version, the WordPress Firewall 2 plugin and this is the one I’m using right now on my blogs.

As you’ve a Windows Firewall, a WordPress Firewall detects and blocks potential attacks.
This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop
the most obvious attacks.

Malicious attacks detected:

  • SQL injection attack detection
  • WordPress-specific SQL injection attack detection
  • Blocking executable file uploads
  • Remote arbitrary code injection detection
  • Directory traversal attack detection

I don’t bother to know each of them exactly and in-deep which type of attacks are, because I don’t want ANY of them here 🙂
The plugin responds with an inoffensive 404, or with a redirect to home page after those attacks.


WordPress Firewall 2 Plugin Settings

As you see in the screenshot below, there are displayed the security filters. At the first item, I leave exactly the same settings.


WordPress Firewall 2 Plugin Settings


I do activate the email address report. Why? Since it’s extremely important to know which IP is attacking and if it’s not from you or a known IP, you should ban this IP forever; this IP is NOT welcomed anymore.


WordPress Firewall 2 plugin - alert firewall wp email


Are there false positives?
Yes, eventually you can be blocked with your own IP! Sometimes when you’re touching something in your code or adding a javascript code, the firewall can be triggered blocking what you’re doing. Even more, one day when I was adding images via the Dashboard / media after certain time, the plugin started to block myself 😉

I didn’t know it until some minutes later when I started to see why I couldn’t enter more images, and I found the culprit, the firewall.

My recommendation is to enter your IP(s) and whitelist them. Then, the plugin will reject all the other IPs that are causing problems.


firewall whitelist ips


  • Static IPs, is easy, put them in “Whitelisted IPs”, save and you’re done.
  • Dynamic IPs, is the same method, but you need to refresh this data every time you’re doing an easy-trigger-plugin task.
    This is my case; I’ve dynamic IPs that change every 12 hours, therefore when I’ll do something that could trigger the plugin, I whitelist the IP I’ve at this moment.
    If I pass of 12 hours and still I’m using for something “fishy” for the plugin, I need to re-enter my new IP again. This is somewhat cumbersome, but really for me it doesn’t matter because, is a small price I need to pay to have a kick-everything firewall.

If you’re designing your blog, entering data in your WordPress theme or similar things, you can consider deactivating the plugin and re-active it later when you ended. Don’t forget to activate Firewall again!

About the Author Gera

As a WordPress fan, Gera provides detailed reviews, tutorials & guides about plugins, themes & hostings. He enjoys experimenting with them and the results are published on this blog.

follow me on:
Vernessa Taylor says

Good review, Gera!

I’d just like to mention, for those who run their blogs on their own VPS (especially unmanaged), the first line of defense is at the server level with setting up “iptables” and installing something like “Fail2Ban.” Then plugins like this one add another layer of protection but don’t have to work so hard with doing what should be handled before malicious bots and people arrive at the front door (or back door!).

Also, Gera, have you seen Better WP Security (http://bit51.com/software/better-wp-security/)? I’m planning to test it on a new site. Looks pretty comprehensive. Maybe you’ll consider doing a review?

    Gera says

    Vernessa many thanks for feedback about adding more security. Totally agree that harder to bots, much better. It’s possible to add an extra layer with e.g. Cloudflare that not only improve the speed of the site via CDN, it also has an extra defense to online threats from spammers, SQL injections, etc.

    Regards to Better WP Security, at least the free version: http://wordpress.org/extend/plugins/better-wp-security/ I’ve read mixed results so far.
    It seems a complete plugin but in some case, touches too much, breaking the sites. Perhaps for a new installation is great, but for sites already installed it should be taken with caution.

    I have in my portfolio to review, or at least to test, to see how it goes:

    Wordfence Security
    Better WP Security
    BulletProof Security

    I’ve installed in a test site Wordfence Security and I’ll expose my results in future posts.
    Next, it’ll be Better WP Security.
    Nowadays, I’m reviewing some WordPress themes 🙂

      Vernessa Taylor says

      Hi Gera, it’s a really nifty review site you’ve put together here! 🙂 I’ll be sure to check out some of your theme reviews.

      Yeah, I looked at WordFence plugin — the features and visited their forums to see what experiences people were reporting. Same with Better WP Security. You’re right to caution blog owners about new site vs. established sites. I’ve heard mixed reviews about it, too.

      I signed up for your WPuslsar news feed so I can keep up with your upcoming reviews. Security is a big deal for blog owners; since I manage a number of blogs for clients, I try to keep on top of this stuff for their sakes as well.


        Gera says

        Hi Vernessa,

        Those complete – do it all – plugins can be a double edged sword for sites already established, so you should take sure steps as possible to manage the blogs of for clients but anyway, of course, they worth exploring more 🙂

        I’ve some WP themes in my agenda already installed and other comings, some massive posts WordPress related, assorted plugins and much more.

        Thanks a bunch for the signing up to WPulsar, this is my relatively new blog. I’ve plans to increase my posts here as soon as I’ve more time LOL, working on this point 🙂

        Have a great weekend coming soon!

Paul G. says

Hey Gera,

I thought you might be interested, since you review the WP Firewall 2 plugin, in our WordPress Simple Firewall plugin: http://wordpress.org/plugins/wp-simple-firewall/

Basically we’ve written it to carry-on from where WPF2 left off, clean up some of the problems it had, and add effective, but non-intrusive protection for your sites.

As you mentioned in the comments with the other security plugin, they can seriously impact an already running blog. Our plugin works similarly to WPF2 and can easily be added to any site at any time. And, you have the option to turn on individual features with granular controls.

I’d be interested to hear what you think of it given you like WPF2.

Thanks for your time!

    Gera says

    Hi Paul,

    Many thanks for your comment!

    The WordPress Simple Firewall plugin looks interesting as another full option.

    I’ll take a look into it when I can; I’m a little behind writing posts due to other projects I’m having.

    All the best,


      Paul G. says

      Great to hear you’ll take a look at it. I’m aiming to make the plugin serve as a multi-pronged defense against Login and brute-force attack hacking.

      Looking forward to hearing what you think!

        Gera says

        Paul making the plugin stronger against brute-force attacks is always a good idea, and it’s welcomed for the WordPress community 🙂

        I’ll install and test it when I’ve time, hope in some weeks.

        Thanks for stopping by!


Gera says

Christopher this is a good idea, use it, at least, together with the limit login attempts plugin, in that form you can have a useful & more secure combo.
Good luck with your new blog!

John David says

While surfing for WordPress firewall blogs i stumbled over here. I gone through your blog which is really interesting. I just started about firewall because that i came to know about web application firewall and saw this waf.comodo.com . What is your opinion about this one? What is difference between ordinary firewall and Web application firewall.

    Gera says

    Thanks for your comment John.
    I didn’t try this application, so I don’t have an opinion about it 😉

Comments are closed