Deny All Firewall

July 04, 2024

Deny All Firewall Plugin

Blocks access to everything except genuine site content using .htaccess

Deny All Firewall

This plugin examines your WordPress installation and injects rules into your .htaccess file which completely block access to everything except genuine site content.

Doing so reduces load on your server, prevents hackers from scanning your site for exploits and even reduces the carbon footprint of your site! We estimate that this plugin will reduce the amount of CO2 used by an average WordPress site by 100Kg per year which is equivalent to the carbon footprint of a flight from London to Ibiza!

Blocked requests can be logged and whitelisted to fine tune your firewall to your specific website.

Whitelisted requests can be 301 redirected to another web address.

The plugin monitors for content changes and will alert users if changes are detected and rules need to be refreshed.

There is a “Lock Down” feature which blocks all requests with Query Strings or POST data. This is how SQL / PHP injection, XSS and other attacks are implemented but it is also how some themes and plugins talk to your server so may require some requests to be whitelisted for your site.

There is a “Sitemap” feature which autmatically generates an XML sitemap and lets search engines find it through a robots.txt file. This sitemap is more detailed than the one automatically generated by WordPress.

There is an “Allow All Content” feature for sites with way too much content to list in the .htaccess file.

There is an “Allow All IPs” feature for sites with too many users to list all their IP addresses in the .htaccess file.

There is a “Force SSL” feature for sites with an SSL certificate to force visitors to use HTTPS rather than HTTP.

Prevents WordPress version from being shown in and /feed/ meta.

Currently we only support Apache servers but will be looking to include Nginx in the future.

Please contact us through the support forum to let us know immediately if the plugin blocks anything that it shouldn’t do!

Installation

Easily use this plugin to prevent access to everyting except your site’s content using the .htaccess file …

1) Install “Deny All Firewall” automatically or by uploading the ZIP file.
2) Activate the plugin through the “Plugins” menu in WordPress.
3) From the Dashboard, select “Deny All Firewall” from the “Settings” menu.

Changelog

1.8.0

  • Added support for “Merge + Minify + Refresh” plugin to serve gzip compressed CSS and JS files

1.7.9

  • Minor security fixes for string translations

1.7.8

  • General housekeeping

1.7.7

  • Updated link to Yoast! sitemap option, fixed bug with anchor tags in 301 redirects, added .webp to allowed image types and allowed date archives

1.7.6

  • Fixed a bug that prevented Authors and Editors from refreshing the firewall rules

1.7.5

  • Added .map to allowed filetypes in /wp-content/uploads/ and /wp-content/plugins/
  • Prevent showing of WordPress version in and /feed/ meta

1.7.4

  • Added XLS, XLSX, WOFF, WOFF2, TTF and OFT to allowed filetypes in /wp-content/uploads/

1.7.3

  • Prevent server callbacks from refreshing .htaccess

1.7.2

  • Fix bug where Site Health check blocks the current user

1.7.1

  • Permanent fix for mystery .htaccess RewriteRule bug

1.7.0

  • Temporary fix for mystery .htaccess RewriteRule bug

1.6.9

  • Allowed for the omission of trailing slashes

1.6.8

  • Preparing for WordPress v6.0

1.6.7

  • Bug fix to allow pages of search
  • Bug fix to allow “_” in content slugs
  • Bug fix to allow the use of (.*) wildcards in whitelist redirects

1.6.6

  • Fixed a bug whereby sitemap was disabled when already enabled on settings update

1.6.5

  • Fixed a bug when .htaccess cannot be opened
  • Fixed a bug to enable server ipv6 detection

1.6.4

  • Fixed a bug retrieving server IP adddress
  • Removed all PHP short tags

1.6.2

  • Fixed a bug with current user IP address check

1.6.0

  • Added a check to redirect to the login page if a logged in user’s IP changes

1.5.9

  • Fixed a bug on some systems that causes infinite redirects with Force SSL option

1.5.8

  • Added ability to change the content of the “403 Forbidden” page and added a search facility

1.5.7

  • Removed WP CRON event to auto-refresh firewall rules as this causes issue with Cloudflare

1.5.6

  • Added support for IPv6 server IP and WordPress search queries

1.5.5

  • Added Yoast SEO detection to prevent XML Sitemap conflicts

1.5.4

  • Bug fix

1.5.3

  • Allow custom post type preview when using lock down feature

1.5.2

  • Added .mpg and .m4a to /wp-content/uploads/ whitelist
  • Fixed bug to allow WPBakery Page Builder to edit pages when “Allow All IPs” is selected

1.5.1

  • Added support for the new sitemap XSL file in WordPress v5.5

1.5.0

  • Added “Force SSL” option

1.4.9

  • Bug fixes

1.4.8

  • Fixed a bug with “lock down” feature when running WooCommerce

1.4.7

  • Fixed bugs with “lock down” feature when running WooCommerce

1.4.6

  • Block requests with no HTTP_HOST

1.4.5

  • Bug fixes

1.4.4

  • Added options to allow all content and / or IPs

1.4.3

  • Deactivation now uninstalls plugin changes, bug fix

1.4.2

  • Added “Refresh Firewall Rules” button to editor, bug fixes

1.4.1

  • Bug fixes

1.4.0

  • Refresh firewall rules from the admin notice
  • Prevent caching of 403 page
  • Compatibility when WordPress installed in a sub directory
  • Bug fixes

1.3.9

  • Autodetect if comments are open on any posts and allow through the firewall
  • Bug fixes

1.3.8

  • Fixed bug when the server’s external IP cannot be established

1.3.7

  • Fixed bug with “Administration email verification”

1.3.6

  • Locked down /wp-json/ POST requests

1.3.5

  • Bug fixes

1.3.4

  • Bug fixes

1.3.3

  • Allowed wp-json through POST block
  • Bug fix

1.3.2

  • Added new “Sitemap” feature
  • Bug fixes

1.3.1

  • Added new “Lock Down” feature
  • Removed un-necessary options
  • Bug fixes

1.3.0

  • Added delete checkbox to Whitelist
  • Bug fix

1.2.9

  • Refined content change monitoring
  • Bug fixes

1.2.8

  • Added the ability to 301 redirect whitelisted requests
  • Made the 403 page more user friendly

1.2.7

  • Refined content change monitoring
  • Unblocked .png from /wp-includes/

1.2.6

  • Modified the blocked request logging to be more compatible with different servers

1.2.5

  • Unblock /wp-json/wp/v2/users for logged in users as it is used when editing posts in Gutenberg

1.2.4

  • Option to automatically refresh the firewall rules if content changes have been detected
  • Option to show content changed notices on all pages or just the settings page
  • Whitelisted .gif in /wp-content/

1.2.3

  • Notifications shown when site content has changed

1.2.2

  • Made whitelisted font filetypes consistent
  • Whitelisted Google verification files
  • Bug fixes

1.2.1

  • Whitelisted .bmp files from /wp-content/uploads/
  • Compatibility fixes for older PHP and WordPress installations

1.2.0

  • Updated log file analyses to include existing directory detection
  • Minor bug fix

1.1.9

  • Minor bug fixes

1.1.8

  • Updated 403 page
  • Updated log file analysis
  • Minor bug fixes

1.1.7

  • CSRF vulnerability fixed

1.1.6

  • Added more whitelisted filetypes to wp-content
  • Fixed a problem with WooCommerce /checkout/order-received/
  • Made whitelisted requests more secure

1.1.5

  • Added more whitelisted filetypes to wp-includes, wp-admin and wp-content

1.1.4

  • Added “Whitelist” / “Unblock” feature

1.1.3

  • Unblocked inactive theme screenshot.png
  • Show if blocked requests exist in log file

1.1.2

  • Unblocked paginated taxonomies
  • Started adding notes to logged blocked requests

1.1.1

  • Bug fixes

1.1.0

  • Blocks user sniffing

1.0.9

  • Created an option to turn on log

1.0.8

  • Bug fix

1.0.7

  • Settings page now shows top twenty blocked requests

1.0.6

  • Unblocked and secured WP-Cron
  • Started logging blocked requests

1.0.5

  • Created a custom 403 page

1.0.4

  • Display status of server’s external IP

1.0.3

  • Locates server’s external IP address and whitelists it for /wp-admin/

1.0.2

  • /wp-admin/ unblocked for logged in client IP now works with Cloudflare

1.0.1

  • Bug fixes

1.0.0

  • First version of the plugin

Details

  • Version: 1.8.0
  • Active installations: 100
  • WordPress Version: 4.7.0
  • Tested up to: 6.6.1
  • PHP Version: 5.6

Ratings


5 Stars
4 Stars
3 Stars
2 Stars
1 Stars