PHPackages lwplugins/lw-firewall - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. lwplugins/lw-firewall ActiveWordpress-plugin[Security](/categories/security) lwplugins/lw-firewall ===================== WooCommerce filter rate limiter — blocks bots crawling filter combinations and rate-limits requests per IP. v1.2.3(1mo ago)03GPL-2.0-or-laterPHPPHP >=8.1CI passing Since Feb 12Pushed 1mo agoCompare [ Source](https://github.com/lwplugins/lw-firewall)[ Packagist](https://packagist.org/packages/lwplugins/lw-firewall)[ Fund](https://sinann.io/)[ RSS](/packages/lwplugins-lw-firewall/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (10)Dependencies (8)Versions (16)Used By (0) LW Firewall =========== [](#lw-firewall) Lightweight WordPress firewall — rate-limits endpoints, blocks bots, bans repeat offenders, and adds security headers. [![PHP Version](https://camo.githubusercontent.com/7535257ca228724c93658bd52583d4e47a9bab02c356abf6e54c1d575f2151e6/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e312532422d626c75652e737667)](https://php.net)[![WordPress Version](https://camo.githubusercontent.com/f1989d6cd7139e0ba03c225b1eb47980a7ec6ba2a2b489beb9c01881be322852/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f576f726450726573732d362e302532422d626c75652e737667)](https://wordpress.org)[![License](https://camo.githubusercontent.com/77e900ae34f8da9ccccc42662fce61a94ab07ddbfe3f7d066178e824f3673dbd/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d47504c25323076322d626c75652e737667)](https://www.gnu.org/licenses/gpl-2.0.html) [![LW Firewall Settings](.github/screenshot.png)](.github/screenshot.png) The Problem ----------- [](#the-problem) Bots brute-force `wp-login.php`, flood `wp-cron.php` and `xmlrpc.php`, crawl WooCommerce filter combinations, scan for vulnerabilities via 404s, and abuse the REST API — all generating thousands of uncacheable requests that overload your server. How It Works ------------ [](#how-it-works) LW Firewall installs an MU-plugin worker that intercepts requests **before WordPress fully loads**. The processing order: 1. **IP Whitelist** — whitelisted IPs skip all checks 2. **IP Blacklist** — blacklisted IPs get 403 immediately 3. **Geo Blocking** — block entire countries (Cloudflare header or CIDR lookup) 4. **Auto-Ban** — previously banned IPs get 403 5. **404 Flood** — IPs with excessive 404s get 429 6. **Bot Blocking** — User-Agent matching (all requests) 7. **Endpoint Detection** — filter params, cron, xmlrpc, login, REST API 8. **Rate Limiting** — per-IP counters with auto-ban escalation Features -------- [](#features) ### Endpoint Protection [](#endpoint-protection) EndpointProtectionResponseWooCommerce filtersRate limit + bot blocking302 redirect or 429`wp-login.php`Brute-force rate limiting429`wp-cron.php`DDoS rate limiting429`xmlrpc.php`DDoS/brute-force rate limiting429REST API (`/wp-json/`)Rate limiting429404 floodVulnerability scanner blocking429### Bot Blocking [](#bot-blocking) - Block requests by User-Agent substring matching (case-insensitive) - 20+ known bad bots blocked by default (AhrefsBot, SemrushBot, DotBot, GPTBot, etc.) - Add/remove bot patterns via admin UI or WP-CLI ### IP Whitelist / Blacklist [](#ip-whitelist--blacklist) - Manual IP allow/block lists - Supports individual IPs and CIDR ranges (e.g. `192.168.1.0/24`) - Whitelisted IPs bypass all firewall checks - Blacklisted IPs are always blocked with 403 ### Geo Blocking [](#geo-blocking) - Block visitors from specific countries by ISO 3166-1 alpha-2 code (e.g. CN, RU, IN) - **Cloudflare** — uses `CF-IPCountry` header (instant, zero-cost) - **Without Cloudflare** — CIDR-based lookup from local cache (weekly auto-update from ipdeny.com) - Fail-open: if no cache exists and no CF header is present, the request is not blocked - Configurable action: 403 Forbidden or redirect to homepage - Manual CIDR cache update via admin UI or WP-CLI ### Auto-Ban [](#auto-ban) - Automatically bans IPs that repeatedly exceed rate limits - Configurable threshold (default: 3 violations) - Configurable ban duration (default: 1 hour) - Escalating protection — casual users won't trigger it, persistent attackers get banned ### Security Headers [](#security-headers) One-click addition of security HTTP headers: - `X-Content-Type-Options: nosniff` - `X-Frame-Options: SAMEORIGIN` - `Referrer-Policy: strict-origin-when-cross-origin` - `Permissions-Policy: camera=(), microphone=(), geolocation=()` - `X-XSS-Protection: 1; mode=block` ### Storage Backends [](#storage-backends) BackendSpeedPersistenceRequirement**APCu**FastestPer-process`apcu` extension**Redis**FastShared`redis` extension + server**File**FallbackDisk-basedAlways availableAuto-detection picks the best available backend. ### MU-Plugin Worker [](#mu-plugin-worker) - Loads on `muplugins_loaded` (priority 1) — before themes and plugins - Own autoloader — zero dependency on WordPress plugin system - Automatic install on activation, removal on deactivation - **Auto-update** — worker file is automatically replaced when its version doesn't match the plugin version ### Cloudflare Support [](#cloudflare-support) - Automatic real IP detection via `CF-Connecting-IP` header - Cloudflare IP range validation to prevent header spoofing ### Request Logging [](#request-logging) - Optional logging of all blocked requests (time, IP, reason, User-Agent, URL) - Admin log viewer with table display - One-click log clearing Installation ------------ [](#installation) **Via Composer:** ``` composer require lwplugins/lw-firewall ``` **Manual:** 1. Download the latest release ZIP 2. Upload to `/wp-content/plugins/` 3. Activate in WordPress admin Settings -------- [](#settings) Navigate to **LW Plugins > Firewall** in the admin panel. TabDescription**General**Enable/disable, storage backend, rate limit, time window, action, filter params**Protection**Endpoint toggles (cron, xmlrpc, login, REST API, 404) and auto-ban settings**Bots**Manage blocked bot User-Agent patterns**IP Rules**IP whitelist and blacklist (IPs and CIDR ranges)**Geo Blocking**Country-based blocking with Cloudflare or CIDR fallback**Security**HTTP security headers toggle**Status**MU-plugin worker status, worker version, active storage backend, reinstall worker**Logs**Enable logging, view blocked requests, clear log**Import / Export**Export settings as JSON, import on another siteWP-CLI Commands --------------- [](#wp-cli-commands) ``` # Show firewall status overview wp lw-firewall status # Configuration wp lw-firewall config list wp lw-firewall config set rate_limit 50 wp lw-firewall config set storage redis wp lw-firewall config set protect_login true wp lw-firewall config set auto_ban_enabled true wp lw-firewall config reset --yes # Bot management wp lw-firewall bots list wp lw-firewall bots add "BadBot/1.0" wp lw-firewall bots remove "BadBot/1.0" # IP whitelist / blacklist wp lw-firewall ip list whitelist wp lw-firewall ip list blacklist wp lw-firewall ip add whitelist 192.168.1.100 wp lw-firewall ip add blacklist 10.0.0.0/8 wp lw-firewall ip remove whitelist 192.168.1.100 # Geo blocking wp lw-firewall geo list wp lw-firewall geo add CN wp lw-firewall geo remove CN wp lw-firewall geo update # Log management wp lw-firewall logs list --limit=50 wp lw-firewall logs clear --yes # MU-plugin worker wp lw-firewall worker install wp lw-firewall worker remove ``` wp-config.php Overrides ----------------------- [](#wp-configphp-overrides) Override any setting via constants (takes precedence over admin UI): ``` define( 'LW_FIREWALL_ENABLED', true ); define( 'LW_FIREWALL_STORAGE', 'apcu' ); // apcu, redis, file define( 'LW_FIREWALL_RATE_LIMIT', 30 ); define( 'LW_FIREWALL_RATE_WINDOW', 60 ); // seconds define( 'LW_FIREWALL_ACTION', '429' ); // 429 or redirect define( 'LW_FIREWALL_PROTECT_CRON', true ); define( 'LW_FIREWALL_PROTECT_XMLRPC', true ); define( 'LW_FIREWALL_PROTECT_LOGIN', true ); define( 'LW_FIREWALL_PROTECT_REST_API', false ); define( 'LW_FIREWALL_PROTECT_404', false ); define( 'LW_FIREWALL_AUTO_BAN_ENABLED', true ); define( 'LW_FIREWALL_AUTO_BAN_THRESHOLD', 3 ); define( 'LW_FIREWALL_AUTO_BAN_DURATION', 3600 ); // seconds define( 'LW_FIREWALL_SECURITY_HEADERS', true ); define( 'LW_FIREWALL_LOG_ENABLED', false ); define( 'LW_FIREWALL_GEO_ENABLED', true ); ``` Requirements ------------ [](#requirements) - PHP 8.1 or higher - WordPress 6.0 or higher Part of LW Plugins ------------------ [](#part-of-lw-plugins) LW Firewall is part of the [LW Plugins](https://github.com/lwplugins) family — lightweight WordPress plugins with minimal footprint and maximum impact. PluginDescription[LW SEO](https://github.com/lwplugins/lw-seo)Essential SEO features without the bloat[LW Disable](https://github.com/lwplugins/lw-disable)Disable WordPress features[LW Enable](https://github.com/lwplugins/lw-enable)Enable WordPress features like SVG uploads[LW ZenAdmin](https://github.com/lwplugins/lw-zenadmin)Clean up your admin — notices sidebar & widget manager**LW Firewall**Lightweight firewall — rate limiting, bot blocking, auto-ban[LW Cookie](https://github.com/lwplugins/lw-cookie)GDPR-compliant cookie consent[LW LMS](https://github.com/lwplugins/lw-lms)Lightweight LMS — courses, lessons, progress tracking[LW Translate](https://github.com/lwplugins/lw-translate)Manage community translations from GitHub[LW Site Manager](https://github.com/lwplugins/lw-site-manager)Site maintenance via AI/REST using Abilities APILicense ------- [](#license) GPL-2.0-or-later. See [LICENSE](https://www.gnu.org/licenses/gpl-2.0.html) for details. Contributing ------------ [](#contributing) Contributions are welcome! Please feel free to submit a Pull Request. Sponsor ------- [](#sponsor) [ ![Sinann](https://camo.githubusercontent.com/08cb3e29f7e91a32ff084d73f5e4c33b6ac8f3508f20dfe040357e9a94c5952b/68747470733a2f2f73696e616e6e2e696f2f66617669636f6e2e737667)](https://sinann.io/)Supported by [Sinann](https://sinann.io/) ### Health Score 39 — LowBetter than 86% of packages Maintenance89 Actively maintained with recent releases Popularity3 Limited adoption so far Community6 Small or concentrated contributor base Maturity50 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~3 days Recently: every ~8 days Total 15 Last Release 56d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/56bc0e3c885c56236e52eaed12997aa4fbaf0645299acf0092a8cc5b887d65b0?d=identicon)[trueqap](/maintainers/trueqap) --- Top Contributors [![trueqap](https://avatars.githubusercontent.com/u/32407751?v=4)](https://github.com/trueqap "trueqap (30 commits)") --- Tags bot-protectionfirewalllightweightrate-limitingwoocommercewordpresswordpress-plugin ### Code Quality Code StylePHP\_CodeSniffer ### Embed Badge ![Health badge](/badges/lwplugins-lw-firewall/health.svg) ``` [![Health](https://phpackages.com/badges/lwplugins-lw-firewall/health.svg)](https://phpackages.com/packages/lwplugins-lw-firewall) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41478.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 87117.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption The Illuminate Encryption package. 9229.7M280](/packages/illuminate-encryption)[paragonie/hidden-string Encapsulate strings in an object to hide them from stack traces 7410.6M39](/packages/paragonie-hidden-string) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)