NinjaFirewall logo

NinjaFirewall (WP+ Edition)

Advanced Security Plugin and Firewall for WordPress.

A true Web Application Firewall

NinjaFirewall (WP+ Edition) is a true Web Application Firewall. Although it can be installed and configured just like a plugin, it is a full firewall that stands in front of WordPress.

It allows any blog administrator to benefit from very advanced and powerful security features that usually aren’t available at the WordPress level, but only in security applications such as the Apache ModSecurity module or the PHP Suhosin extension.

NinjaFirewall logo

NinjaFirewall can hook, scan, sanitise or reject any HTTP/HTTPS request sent to a PHP script before it reaches WordPress or any of its plugins. All scripts located inside the blog installation directories and sub-directories will be protected, including those that aren’t part of the WordPress package. Even encoded PHP scripts, hackers shell scripts and backdoors will be filtered by the firewall.

NinjaFirewall includes the most powerful filtering engine available in a WordPress plugin. Its most important feature is its ability to normalize and transform data from incoming HTTP requests which allows it to detect Web Application Firewall evasion techniques and obfuscation tactics used by hackers, as well as to support and decode a large set of encodings. See our blog for a full description: An introduction to NinjaFirewall filtering engine.

Features

  WP Edition (Free) WP+ Edition (Premium)
Full standalone web application firewall
Sensei v1.0 advanced firewall engine (more info)
Most efficient brute-force attack protection (more info)
Unix shared memory use for inter-process communication  
Multisite support
Response body filter (Web Filter)  
HTTP response headers
File uploads management Basic
Role-based Access Control  
Possibility to prepend PHP code to the firewall (more info)
IP address & AS number Access Control  
Rate-limiting option  
Geolocation Access Control  
URL Access Control  
User Input Access Control  
Bot Access Control  
Configurable HTTP return code and message
Centralized Logging  
Activity log & Statistics Basic
Syslog Logging compatible with Fail2Ban (more info)  
Antispam for comment and user regisration forms  
Real-time detection (File Guard)
File integrity monitoring to scan your website (File Check)
Event notifications
Security updates alert (more info)
General Data Protection Regulation (GDPR) compliance
Requirements WordPress 4.9+
PHP 7.1+		 WordPress 4.9+
PHP 7.1+
Dedicated Help Desk with priority support WordPress Forum
 
 Download
 Order Pro
  Download Order Pro

Pricing

Plan #1

USD $79

per domain/year

  • 1 domain
  • or multisite

Plan #2

USD $63

per domain/year

  • From 2 to 5 domains
  • 20% off

Plan #3

USD $55

per domain/year

  • From 6 to 15 domains
  • 30% off

Plan #4

USD $47

per domain/year

  • 15+ domains
  • 40% off

FAQ

We accept all major credit and debit cards from Visa, Mastercard, American Express and JCB.

Note that we use 3D Secure verification (Verified by Visa, Mastercard SecureCode, AMEX SafeKey and J/Secure) to add an extra layer of security to your transaction.
We do not store your credit card information, all payment transactions are securely processed via our PCI compliant payment processor.

If you are planning to use NinjaFirewall (WP+ Edition) on a WordPress multisite installation, you will need one license only. Contact us if you are unsure.

  1. Create an account.
  2. Log in.
  3. Select a subscription plan and add credit* to your account using a Credit Card or Debit Card.
  4. Create your license.
* After receiving your payment, we will credit your account accordingly and you will be free to use your account balance to create your NinjaFirewall license(s) whenever you want. For instance, if you only have one website but want a discount, select Plan #2 (2 to 5 domains), make your payment for two licenses and create your first license. Next year, when your license will expire, you could use your credit left to renew that license.

  1. Log in.
  2. Add funds to your account (or use your credit if you have sufficient funds in your account) to pay the annual license fee.
  3. Renew the current license.
  4. Log in to WordPress, click on "NinjaFirewall > Dashboard > License" and enter the newly created license.

  • WordPress 4.9 or above.
  • PHP 7.1 or above.

There's no subscription, automatic renewal or recurring payment: if you have a NinjaFirewall license and don't renew it, it will be cancelled automatically when it reaches its expiry date.

NinjaFirewall stands between the attacker and WordPress. It can filter requests before they reach your blog and any of its plugins. This is how it works:

Attacker > HTTP server > PHP > NinjaFirewall > WordPress

And this is how regular WordPress security plugins work:

Attacker > HTTP server > PHP > WordPress > Security Plugin

If you are using WordPress, you should install the WP+ Edition because it was specifically written to secure WordPress. The Pro+ Edition should be used with non-WordPress applications such as Joomla, Magento or any other PHP website.

NinjaFirewall works on Unix-like servers only. There is no Microsoft Windows version and we do not expect to release any.

Will NinjaFirewall detect the correct IP of my visitors if I am behind a CDN service like Cloudflare or Incapsula?

If you are using NinjaFirewall (WP+ Edition), you can modify the source IP from the "Access Control > Source IP" menu. If you are using the free NinjaFirewall (WP Edition), you can use an optional configuration file to tell the firewall which IP to use. Please follow these steps.

How can I restrict access to NinjaFirewall settings and menu?

See our blog post: Restricting access to NinjaFirewall (WP Edition) settings.

I moved my wp-config.php file to another directory. Will it work with NinjaFirewall?

Just like WordPress does, NinjaFirewall will look for the wp-config.php script in the current folder or, if it cannot find it, in the parent folder.

Can I add/write my own security rules?

You can use the optional .htninja configuration file for that purpose.

Can I migrate my site(s) with NinjaFirewall installed?

In order to migrate your site, follow these steps:
  1. Export your NinjaFirewall configuration from the "Firewall Options" menu.
  2. With your FTP client, download its log and cache folders located in /wp-content/nfwlog/.
  3. Uninstall NinjaFirewall.
  4. Migrate your site.
  5. Upload its /wp-content/nfwlog/ folder to your new site (unless you already copied it during the blog migration).
  6. Install NinjaFirewall.
  7. Reimport its configuration from the "Firewall Options" menu.
Note: "File Check" configuration cannot be exported/imported, it will have to be reconfigured.

Lost password (brute-force protection)

If you cannot access your WordPress admin console because you lost the brute-force protection username and/or password:
  1. Connect to your server over FTP.
  2. Delete the /wp-content/nfwlog/cache/bf_conf.php script.
  3. Log in to the WP admin console, click on "NinjaFirewall > Login Protection" and reconfigure the brute-force protection options.

Cannot connect to WordPress database

After installing NinjaFirewall, the firewall returns the following error message:

NinjaFirewall fatal error : Cannot connect to WordPress database

Download our database test script:

  1. Rename this file to wp-db.php.
  2. Upload it into your WordPress root folder.
  3. Go to https://YOUR WEBSITE/wp-db.php
  4. Delete it afterwards.

Blocked visitors

Because each site is different, it is possible that the default configuration of NinjaFirewall may wrongly block some visitors. If it occurred, please consult this post: Testing NinjaFirewall without blocking your visitors

Fatal error, crash or failed installation

Consult this post for help: Troubleshoot NinjaFirewall installation problems.