NinjaFirewall WP+ Edition

A powerful Web Application Firewall to protect WordPress against web attacks.

How secure is your WordPress blog?

Give your blog the highest level of protection it deserves, no less!

Blocks all major threats

Cross-Site Scripting (XSS)
Local & Remote File Inclusion (LFI, RFI)
Insecure Deserialization
SQL Injection (SQLi)
PHP object injection
Remote Code Execution (RCE)
XML External Entity (XXE)

Large set of options

50+ firewall policies
300+ security rules
Access Control
Syslog Logging/Fail2Ban
IPv4, IPv6 & AS number
And many more...

Powerful filtering engine


Speed matters

High Performance Firewall
Low CPU/RAM usage
Fast & compact
Highly optimized

We offer two versions

» WP Edition

A free and open-source edition available on

» WP+ Edition

A supercharged premium edition with many exciting features that make it the most advanced security plugin for WordPress.

Features & Comparison

Features WP Edition
WP+ Edition
Full standalone web application firewall
"Sensei v1.0" advanced firewall engine (more info)
Most efficient brute-force attack protection (more info)
Unix shared memory use for inter-process communication ( ? )
Multisite support
HTTP response headers
Response body filter (Web Filter) to scan the output of the HTML page right before it is sent to your visitors browser
File uploads management Block/allow uploads.
Sanitise file names.
Block / Allow uploads.
Sanitise file names.
Block dangerous files.
Scan ZIP files.
Limit file size.
Possibility to prepend your own PHP code to the firewall (.htninja)
Role-based Access Control Admin only All roles available on the blog
IP address & AS number Access Control
Rate-limiting option
Country-based Access Control (Geolocation)
URL Access Control
User Input Access Control
Bot Access Control
IPv4 & IPv6 compatibility
Configurable HTTP return code and message
Centralized Logging to remotely access the firewall log of all your NinjaFirewall protected websites from one single installation
Activity log & Statistics View log.
Widget Stats.
Live Log.
View, select, export, delete, filter, enable and disable log.
Auto rotation.
Widget Stats.
Live Log.
Syslog Logging (compatible with Fail2Ban)
Antispam for comment and user regisration forms
Real-time detection (File Guard)
File integrity monitoring to scan your website (File Check) Hourly, twicedaily, daily Hourly, twicedaily, daily
Event notifications
Security rules update Hourly, twicedaily, daily Every 15mn, 30mn, hourly, twicedaily, daily
General Data Protection Regulation (GDPR) compliance
Requirements WordPress 4.9+
PHP 7.1+
Unix-like OS only ( ? )
WordPress 4.9+
PHP 7.1+
Unix-like OS only ( ? )
Online support WordPress Forum only Dedicated Help Desk with priority support


Plan #1


per domain/year
  • 1 domain or
  • multisite installation

Plan #2


per domain/year
  • From 2 to 5 domains
  • 20% off

Plan #3


per domain/year
  • From 6 to 15 domains
  • 30% off

Plan #4


per domain/year
  • From 16 to 49 domains
  • 40% off

Plan #5


per domain/year
  • From 50 to 99 domains
  • 50% off

Plan #6


per domain/year
  • 100+ domains
  • 60% off

All prices are in USD, per domain and per year.

Frequently Asked Questions

NinjaFirewall stands between the attacker and WordPress. It can filter requests before they reach your blog and any of its plugins. This is how it works:

Attacker > HTTP server > PHP > NinjaFirewall > WordPress

And this is how regular WordPress security plugins work:

Attacker > HTTP server > PHP > WordPress > Security Plugin

NinjaFirewall includes a very powerful filtering engine that can detect Web Application Firewall evasion techniques and obfuscation tactics used by hackers, as well as support and decode a large set of encodings. See our blog for a detailed description: An introduction to NinjaFirewall v3.0 filtering engine.

If you are using WordPress, you should install the WP+ Edition because it was specifically written to secure WordPress. The Pro+ Edition should be used with non-WordPress applications such as Joomla, Magento or any other PHP website.

If you are planning to use NinjaFirewall (WP+ Edition) on a WordPress multisite installation, you will need one license only. Contact us if you are unsure.

  1. Create an account.
  2. Log in.
  3. Select a subscription plan and add credit* to your account using a Credit Card or Debit Card.
  4. Create your license.
* After receiving your payment, we will credit your account accordingly and you will be free to use your account balance to create your NinjaFirewall license(s) whenever you want. For instance, if you only have one website but want a discount, select Plan #2 (2 to 5 domains), make your payment for two licenses and create your first license. Next year, when your license will expire, you could use your credit left to renew that license.

  1. Log in.
  2. Add funds to your account (or use your credit if you have sufficient funds in your account) to pay the annual license fee.
  3. Renew the current license.
  4. Log in to WordPress, click on "NinjaFirewall > Dashboard > License" and enter the newly created license.

NinjaFirewall works on Unix-like servers only. There is no Microsoft Windows version and we do not expect to release any.

Will NinjaFirewall detect the correct IP of my visitors if I am behind a CDN service like Cloudflare or Incapsula?

If you are using NinjaFirewall (WP+ Edition), you can modify the source IP from the "Access Control > Source IP" menu. If you are using the free NinjaFirewall (WP Edition), you can use an optional configuration file to tell the firewall which IP to use. Please follow these steps.

How can I restrict access to NinjaFirewall settings and menu?

See our blog post: Restricting access to NinjaFirewall (WP Edition) settings.

I moved my wp-config.php file to another directory. Will it work with NinjaFirewall?

Just like WordPress does, NinjaFirewall will look for the wp-config.php script in the current folder or, if it cannot find it, in the parent folder.

Can I add/write my own security rules?

You can use the optional .htninja configuration file for that purpose.

Can I migrate my site(s) with NinjaFirewall installed?

In order to migrate your site, follow these steps:
  1. Export your NinjaFirewall configuration from the "Firewall Options" menu.
  2. With your FTP client, download its log and cache folders located in /wp-content/nfwlog/.
  3. Uninstall NinjaFirewall.
  4. Migrate your site.
  5. Upload its /wp-content/nfwlog/ folder to your new site (unless you already copied it during the blog migration).
  6. Install NinjaFirewall.
  7. Reimport its configuration from the "Firewall Options" menu.
Note: "File Check" configuration cannot be exported/imported, it will have to be reconfigured.

Lost password (brute-force protection)

If you cannot access your WordPress admin console because you lost the brute-force protection username and/or password:
  1. Connect to your server over FTP.
  2. Delete the /wp-content/nfwlog/cache/bf_conf.php script.
  3. Log in to the WP admin console, click on "NinjaFirewall > Login Protection" and reconfigure the brute-force protection options.

Cannot connect to WordPress database

After installing NinjaFirewall, the firewall returns the following error message:

NinjaFirewall fatal error : Cannot connect to WordPress database

Download our database test script:

  1. Rename this file to wp-db.php.
  2. Upload it into your WordPress root folder.
  3. Go to https://YOUR WEBSITE/wp-db.php
  4. Delete it afterwards.

Blocked visitors

Because each site is different, it is possible that the default configuration of NinjaFirewall may wrongly block some visitors. If it occurred, please consult this post: Testing NinjaFirewall without blocking your visitors

Fatal error, crash or failed installation

Consult this post for help: Troubleshoot NinjaFirewall installation problems.

© 2024 The Ninja Technologies Network

Twitter    Facebook     Feed