NinTechNet : NinjaFirewall (WP edition)


An optional NinjaFirewall user configuration file can be used to overwrite some of the firewall hard-coded variables, for instance, to tell NinjaFirewall where is located your WordPress configuration file, wp-config.php, if you moved it to another directory, or add/modify server variables.

This file must be named .htninja and must be located in the folder above your website document root : if your document root is /home/user/plublic_html/, the location of the file will be /home/user/.htninja
Because it is located outside the document root and its name starts with .ht, the file is relatively safe and protected (by default, most HTTP servers will prevent anyone from accessing a .ht* file). However, we recommend to change the file permissions to read-only, usually 0444 or 0400.
Also, you need to ensure that you do not have an open_basedir restriction, otherwise you will not be able to use that configuration file.

 Any .htninja directive will be processed first, even before NinjaFirewall brute-force protection.

NinjaFirewall package contains a sample file, named .htninja.sample.

It is a regular PHP file. Note that it does not contain a PHP closing tag (?>). We recommend to keep it that way, because if there was a space or new line character after a closing tag, it would trigger errors on your site (PHP would need to send HTTP headers in order to ouput those characters before your blog is loaded). This problem does not occur when the PHP closing tag is missing.


If you want NinjaFirewall to use a specific wp-config.php file, add its full path to the $wp_config variable :

You can check if the file was detected from your WordPress admin console, in the "NinjaFirewall > Overview" menu :

Server variables

You can add/modify server variables in the .htninja file. For instance, users of the CDN service Cloudflare can copy the visitor real IP (HTTP_CF_CONNECTING_IP) into the REMOTE_ADDR variable so that NinjaFirewall will use the correct IP :

Users of the Incapsula CDN service should use the HTTP_INCAP_CLIENT_IP variable instead :

 Users of NinjaFirewall (WP+ Edition) can perform the same task from the "Access Control > Source IP" menu option rather than using the .htninja file.


It is possible to use NinjaFirewall special return values ALLOW and BLOCK in order to blacklist or whitelist anything you want :

  • ALLOW : the firewall will accept the request immediately and will not filter it.
  • BLOCK : the firewall will block the request (403 Forbidden) and close the connection immediately.

This is the fastest way to allow or block a request because it will be processed before WordPress is loaded and even before NinjaFirewall loads its own configuration. Note that, for this reason, the firewall will not write the event to its log.

For instance, we ask the firewall to allow IP :

Allow IPs, and :

Allow all IPs from to :

To reject, use the BLOCK return value instead :

To allow any access to a PHP script located inside the /foo/bar/ directory :

 Users of NinjaFirewall (WP+ Edition) can whitelist or blacklist IPs from the "Access Control > IP Access Control" menu option rather than using the .htninja file.

Rev.: 1.01 2014-02-12 : added Cloudflare example.
Rev.: 1.02 2014-03-07 : added ALLOW and BLOCK example.
Rev.: 1.03 2014-03-23 : added Incapsula example.
Rev.: 1.04 2014-03-30 : added information about the WP+ Edition.

The Ninja Technologies Network