Title: TrapFlux Request Firewall
Author: susheelhbti
Published: <strong>June 18, 2026</strong>
Last modified: June 18, 2026

---

Search plugins

![](https://s.w.org/plugins/geopattern-icon/trapflux-request-firewall.svg)

# TrapFlux Request Firewall

 By [susheelhbti](https://profiles.wordpress.org/susheelhbti/)

[Download](https://downloads.wordpress.org/plugin/trapflux-request-firewall.zip)

 * [Details](https://wordpress.org/plugins/trapflux-request-firewall/#description)
 * [Reviews](https://wordpress.org/plugins/trapflux-request-firewall/#reviews)
 *  [Installation](https://wordpress.org/plugins/trapflux-request-firewall/#installation)
 * [Development](https://wordpress.org/plugins/trapflux-request-firewall/#developers)

 [Support](https://wordpress.org/support/plugin/trapflux-request-firewall/)

## Description

TrapFlux Request Firewall is a lightweight request firewall that blocks vulnerability
scanners and bot floods by **how they behave**, not just where they come from.

 * **Behavior-based blocking** — exploit-path probes (`.env`, `wp-config` backups,`.
   sql` dumps), malicious user agents, and request floods.
 * **Rate limiting** — every visitor is rate limited; hits on exploit paths count
   double, so scanners get banned far faster than real visitors ever could.
 * **Honeypot traps** — invisible links only bots follow; one visit means a permanent
   ban.
 * **Subnet bans** — block a whole CIDR range (e.g. `20.100.172.0/24`) when attackers
   rotate IPs on cloud providers.
 * **Text attack reports** — one-click downloadable `.txt` reports (summary + raw
   log) listing every URL attackers tried to access, ready to hand to your hosting
   company.
 * **fail2ban-friendly log** — one pipe-delimited line per blocked request, so your
   host can ban attackers at the network level using the plugin’s detections.
 * **Fails open** — any internal error and your site keeps working normally. An 
   emergency `disable.flag` file shuts blocking off instantly via FTP.

#### Strongest mode (optional)

By default the firewall runs when plugins load — before WP routing, themes and queries.
For maximum resource savings you can point PHP’s `auto_prepend_file` at `firewall.
php` so blocking happens before WordPress loads at all. See the FAQ.

#### Honest limitations

 * This is a request firewall, not a malware scanner — it will not detect an already-
   infected site.
 * It ships with rules for today’s common probes and has no cloud threat feed; review
   the rules occasionally.
 * The “Block xmlrpc.php” option breaks Jetpack and the WordPress mobile app — disable
   that single toggle if you use them.
 * All assets (CSS/JS) are bundled — the plugin makes no external network requests.

## Installation

 1. Upload the `trapflux-request-firewall` folder to `/wp-content/plugins/`, or install
    the zip via Plugins  Add New  Upload.
 2. Activate **TrapFlux Request Firewall**. Your current IP is auto-whitelisted on 
    activation.
 3. Open the **TrapFlux Request Firewall** menu in wp-admin for stats, logs, reports
    and settings.

Data (config, bans, logs) is stored in `wp-content/uploads/trapflux-request-firewall/`.
An `.htaccess` deny rule is written automatically (Apache). On NGINX add:

    ```
    location ^~ /wp-content/uploads/trapflux-request-firewall/ { deny all; }
    ```

## FAQ

### How do I enable blocking before WordPress loads?

Set PHP’s `auto_prepend_file` to the engine, in `.user.ini` (most shared hosting)
or `php.ini`:

    ```
    auto_prepend_file = /full/path/to/wp-content/plugins/trapflux-request-firewall/firewall.php
    ```

Or in Apache `.htaccess` (mod_php):

    ```
    php_value auto_prepend_file "/full/path/to/wp-content/plugins/trapflux-request-firewall/firewall.php"
    ```

The engine guards against double-loading, so having both is safe.

### I locked myself out. What do I do?

Create an empty file named `disable.flag` inside `wp-content/uploads/trapflux-request-
firewall/` via FTP or your host’s file manager. All blocking stops instantly. Delete
the file to re-enable.

### Can my hosting company use the log with fail2ban?

Yes. Each blocked request is one line in `wp-content/uploads/trapflux-request-firewall/
blocked.log`:

    ```
    2026-06-11 14:32:07 | 20.100.172.37 | GET /xmlrpc.php | UA: ... | BLOCKED: rate-limit
    ```

Suggested failregex: `^.* \| <HOST> \| .* \| BLOCKED: .*$`

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“TrapFlux Request Firewall” is open source software. The following people have contributed
to this plugin.

Contributors

 *   [ susheelhbti ](https://profiles.wordpress.org/susheelhbti/)

[Translate “TrapFlux Request Firewall” into your language.](https://translate.wordpress.org/projects/wp-plugins/trapflux-request-firewall)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/trapflux-request-firewall/),
check out the [SVN repository](https://plugins.svn.wordpress.org/trapflux-request-firewall/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/trapflux-request-firewall/)
by [RSS](https://plugins.trac.wordpress.org/log/trapflux-request-firewall/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.5

 * Removed the last hardcoded WP_CONTENT_DIR fallback (in plugin activation). Data
   directory now resolves exclusively via wp_upload_dir(); activation aborts with
   a clear message if that is unavailable, instead of guessing a path.

#### 1.0.4

 * Used wp_upload_dir() exclusively for data directory resolution; removed WP_CONTENT_DIR
   hardcode and dirname walk-up fallbacks.
 * Replaced custom SCRIPT_FILENAME direct-access guard with the standard ABSPATH
   check (plus TRAPFLUX_PREPEND_MODE constant for auto_prepend_file users).
 * Plugin activation now stores the resolved upload path in config.json so prepend-
   mode engine can locate its data without guessing.

#### 1.0.3

 * Renamed to TrapFlux Request Firewall with a distinctive trapflux_ prefix on all
   options, hooks, AJAX actions and constants.
 * Moved all data (config, bans, logs) to the uploads directory: wp-content/uploads/
   trapflux-request-firewall/.
 * Sanitized all $_SERVER inputs at intake (user agent, IPs, request method, request
   URI).
 * Added a direct-access guard to the firewall engine file.

#### 1.0.2

 * Replaced Tailwind with a small handwritten stylesheet (~8 KB, prefixed classes,
   no build step, no framework).

#### 1.0.1

 * Replaced the Tailwind CSS CDN with a locally compiled stylesheet. The admin dashboard
   now makes zero external requests.

#### 1.0.0

 * Initial release: behavior-based blocking, rate limiting, honeypots, subnet bans,
   text reports, fail2ban-friendly logging, emergency off-switch.

## Meta

 *  Version **1.0.5**
 *  Last updated **23 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 5.8 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.2 or higher **
 * Tags
 * [bot blocking](https://wordpress.org/plugins/tags/bot-blocking/)[firewall](https://wordpress.org/plugins/tags/firewall/)
   [honeypot](https://wordpress.org/plugins/tags/honeypot/)[rate limiting](https://wordpress.org/plugins/tags/rate-limiting/)
   [security](https://wordpress.org/plugins/tags/security/)
 *  [Advanced View](https://wordpress.org/plugins/trapflux-request-firewall/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/trapflux-request-firewall/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/trapflux-request-firewall/reviews/)

## Contributors

 *   [ susheelhbti ](https://profiles.wordpress.org/susheelhbti/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/trapflux-request-firewall/)