NinjaFirewall (WP+ Edition)

Help & FAQ


How to disable NinjaFirewall

There are three possible ways to disable NinjaFirewall:

  • Log into the WordPress admin dashboard, go to the "Plugins" menu and click on the "Deactivate" link.
  • Log into the WordPress admin dashboard, go to the "NinjaFirewall > Firewall Options > Firewall protection", select "Disabled" and click on the "Save Firewall Options" button.
  • Rename the PHP INI (php.ini, .user.ini or php5.ini) or the .htaccess file that contains the NinjaFirewall auto_prepend_file directive. Use this method only if you cannot get access to your WordPress admin dashboard.

Failed installation:

This is the most common problem experienced by some users. At the end of the installation process, it displays the Error: the firewall is not loaded message.

See our blog article: Troubleshoot NinjaFirewall installation problems.

Locked out of your site / Fatal error / WordPress crash:

DO NOT rename NinjaFirewall folder or files as this would only make things worse.

If you are locked out of your site, blocked by NinjaFirewall or if WordPress crashed right after installing/activating NinjaFirewall:

  1. Connect to your server via FTP and download the PHP INI and/or .htaccess files located inside your WordPress root folder (this is where is also located your main index.php page, the blog configuration wp-config.php and its license file license.txt etc).
  2. Edit those files and remove all lines that start with BEGIN NinjaFirewall and end with END NinjaFirewall.
  3. Re-upload those files to your server.
  4. If the operation was successful, you should be able to access your WordPress admin console, go to the "Plugins" menu and click on the "Deactivate" link under NinjaFirewall.
    If you still cannot access your admin dashboard, you can manually remove the plugin by deleting its installation folder:
    - NinjaFirewall (WP Edition): delete /wp-content/plugins/ninjafirewall/
    - NinjaFirewall (WP+ Edition): delete /wp-content/plugins/nfwplus/

Lost password (brute-force protection):

If you cannot access your WordPress admin console because you lost the brute-force protection username and/or password:

  1. Connect to your server via FTP.
  2. Delete the /wp-content/nfwlog/cache/bf_conf.php script.
  3. Log in to the WP admin console, click on "NinjaFirewall > Login Protection" and reconfigure the brute-force protection options.

Blank page after INSTALLING NinjaFirewall:

In some cases, right after installing it, you may get a blank page and/or the following error message:

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at .../.../wp-content/plugins/ninjafirewall/lib/firewall.php...

The problem may come from your PHP session save handler (session.save_handler) configuration which is not set up to use files.

Blank page after UNINSTALLING NinjaFirewall:

In some cases, right after uninstalling it, you may get a blank page and/or the following error message:

Warning: Unknown: failed to open stream: No such file or directory in Unknown on line 0 Fatal error: Unknown: Failed opening required '.../wp-content/plugins/ninjafirewall/lib/firewall.php' ... in Unknown on line 0
  1. The problem can be due to your PHP configuration that may require a few minutes before the PHP INI file, which was edited during the uninstallation process, is reloaded by PHP. If this is your own server, simply restart PHP (e.g. PHP-FPM) or your HTTP server (Apache) in order to reload the INI file immediately, otherwise, you need to wait a couple of minutes, until the file is reloaded. The problem will then go away.
  2. You still have NinjaFirewall's instructions in your PHP INI file or .htaccess. Open that file, look for similar lines and delete them:

    PHP INI:
    ; BEGIN NinjaFirewall
    auto_prepend_file = /......./firewall.php
    ; END NinjaFirewall

    # BEGIN NinjaFirewall
    php_value auto_prepend_file /......./firewall.php
    # END NinjaFirewall

500 Internal Server Error:

This fatal error may occur if you are running PHP as an Apache module (mod_php5). It is likely due to the fact that your Apache server does not allow the php_value directive to be added to your .htaccess. Your server logs will display the following error message:

/full/path/to/your/.htaccess: php_value not allowed here

To solve the problem, edit your main Apache configuration file and ensure that the AllowOverride directive is set to All instead of None for your vhost:

<Directory /path/to/your/website/folder>
AllowOverride All

Restart Apache after making the change.
If you are on a shared hosting account, contact your host about the issue.

Cannot connect to WordPress database:

After installing NinjaFirewall, the firewall returns the following error message:

NinjaFirewall fatal error : Cannot connect to WordPress database

Download our database test script:

  1. Rename this file to wp-db.php.
  2. Upload it into your WordPress root folder.
  3. Go to http://YOUR WEBSITE/wp-db.php
  4. Delete it afterwards.

Blocked visitors:

Because each site is different, it is possible that the default configuration of NinjaFirewall may wrongly block some visitors. If this occurred, NinjaFirewall would display a message with an incident ID (7-digit number):

  1. Ask your visitor to give you that number.
  2. Check your firewall log ("Firewall Log" menu from your WordPress administration interface) and find the rule number that matches the incident ID you want to disable. They are displayed in the INCIDENT and RULE columns.
  3. Go to the "Rules Editor" menu, select the corresponding rule number from the enabled rules list and disable it.

Note: if the RULE column from your log shows a hyphen "-" instead of a number, that means that the rule can be changed in your "Firewall Policies" page.

Further reading: Testing NinjaFirewall without blocking your visitors.

Exporting NinjaFirewall's configuration:

You can easily export NinjaFirewall's configuration which is stored in the database:

  • If you have access to the admin dashboard, you can export it from the "Firewall Options" menu.
  • If you don't have access to the admin dashboard, you can use this script: wp-export.txt