ww.wp.xz.cn
Get WordPress
ww.wp.xz.cn

Plugin Directory

TrapFlux Request Firewall

TrapFlux Request Firewall

By susheelhbti
Download

Description

TrapFlux Request Firewall is a lightweight request firewall that blocks vulnerability scanners and bot floods by how they behave, not just where they come from.

  • Behavior-based blocking — exploit-path probes (.env, wp-config backups, .sql dumps), malicious user agents, and request floods.
  • Rate limiting — every visitor is rate limited; hits on exploit paths count double, so scanners get banned far faster than real visitors ever could.
  • Honeypot traps — invisible links only bots follow; one visit means a permanent ban.
  • Subnet bans — block a whole CIDR range (e.g. 20.100.172.0/24) when attackers rotate IPs on cloud providers.
  • Text attack reports — one-click downloadable .txt reports (summary + raw log) listing every URL attackers tried to access, ready to hand to your hosting company.
  • fail2ban-friendly log — one pipe-delimited line per blocked request, so your host can ban attackers at the network level using the plugin’s detections.
  • Fails open — any internal error and your site keeps working normally. An emergency disable.flag file shuts blocking off instantly via FTP.

Strongest mode (optional)

By default the firewall runs when plugins load — before WP routing, themes and queries. For maximum resource savings you can point PHP’s auto_prepend_file at firewall.php so blocking happens before WordPress loads at all. See the FAQ.

Honest limitations

  • This is a request firewall, not a malware scanner — it will not detect an already-infected site.
  • It ships with rules for today’s common probes and has no cloud threat feed; review the rules occasionally.
  • The “Block xmlrpc.php” option breaks Jetpack and the WordPress mobile app — disable that single toggle if you use them.
  • All assets (CSS/JS) are bundled — the plugin makes no external network requests.

Installation

  1. Upload the trapflux-request-firewall folder to /wp-content/plugins/, or install the zip via Plugins Add New Upload.
  2. Activate TrapFlux Request Firewall. Your current IP is auto-whitelisted on activation.
  3. Open the TrapFlux Request Firewall menu in wp-admin for stats, logs, reports and settings.

Data (config, bans, logs) is stored in wp-content/uploads/trapflux-request-firewall/. An .htaccess deny rule is written automatically (Apache). On NGINX add:

location ^~ /wp-content/uploads/trapflux-request-firewall/ { deny all; }

FAQ

How do I enable blocking before WordPress loads?

Set PHP’s auto_prepend_file to the engine, in .user.ini (most shared hosting) or php.ini:

auto_prepend_file = /full/path/to/wp-content/plugins/trapflux-request-firewall/firewall.php

Or in Apache .htaccess (mod_php):

php_value auto_prepend_file "/full/path/to/wp-content/plugins/trapflux-request-firewall/firewall.php"

The engine guards against double-loading, so having both is safe.

I locked myself out. What do I do?

Create an empty file named disable.flag inside wp-content/uploads/trapflux-request-firewall/ via FTP or your host’s file manager. All blocking stops instantly. Delete the file to re-enable.

Can my hosting company use the log with fail2ban?

Yes. Each blocked request is one line in wp-content/uploads/trapflux-request-firewall/blocked.log:

2026-06-11 14:32:07 | 20.100.172.37 | GET /xmlrpc.php | UA: ... | BLOCKED: rate-limit

Suggested failregex: ^.* \| <HOST> \| .* \| BLOCKED: .*$

Reviews

There are no reviews for this plugin.

Contributors & Developers

“TrapFlux Request Firewall” is open source software. The following people have contributed to this plugin.

Contributors

Translate “TrapFlux Request Firewall” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.0.5

  • Removed the last hardcoded WP_CONTENT_DIR fallback (in plugin activation). Data directory now resolves exclusively via wp_upload_dir(); activation aborts with a clear message if that is unavailable, instead of guessing a path.

1.0.4

  • Used wp_upload_dir() exclusively for data directory resolution; removed WP_CONTENT_DIR hardcode and dirname walk-up fallbacks.
  • Replaced custom SCRIPT_FILENAME direct-access guard with the standard ABSPATH check (plus TRAPFLUX_PREPEND_MODE constant for auto_prepend_file users).
  • Plugin activation now stores the resolved upload path in config.json so prepend-mode engine can locate its data without guessing.

1.0.3

  • Renamed to TrapFlux Request Firewall with a distinctive trapflux_ prefix on all options, hooks, AJAX actions and constants.
  • Moved all data (config, bans, logs) to the uploads directory: wp-content/uploads/trapflux-request-firewall/.
  • Sanitized all $_SERVER inputs at intake (user agent, IPs, request method, request URI).
  • Added a direct-access guard to the firewall engine file.

1.0.2

  • Replaced Tailwind with a small handwritten stylesheet (~8 KB, prefixed classes, no build step, no framework).

1.0.1

  • Replaced the Tailwind CSS CDN with a locally compiled stylesheet. The admin dashboard now makes zero external requests.

1.0.0

  • Initial release: behavior-based blocking, rate limiting, honeypots, subnet bans, text reports, fail2ban-friendly logging, emergency off-switch.

Meta

Ratings

No reviews have been submitted yet.

Your review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum