{"id":325456,"date":"2026-06-18T09:13:14","date_gmt":"2026-06-18T09:13:14","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/bot-shield\/"},"modified":"2026-06-18T08:57:58","modified_gmt":"2026-06-18T08:57:58","slug":"trapflux-request-firewall","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/trapflux-request-firewall\/","author":12189875,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.5","stable_tag":"trunk","tested":"7.0","requires":"5.8","requires_php":"7.2","requires_plugins":null,"header_name":"TrapFlux Request Firewall","header_author":"susheelhbti","header_description":"Lightweight, behavior-based bot firewall. Blocks scanners, rate-limits floods, traps bots in honeypots, and produces text attack reports \u2014 all before WordPress wastes resources on them.","assets_banners_color":"","last_updated":"2026-06-18 08:57:58","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"","header_author_uri":"","rating":0,"author_block_rating":0,"active_installs":0,"downloads":11,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":[],"upgrade_notice":{"1.0.2":"<p>Admin styles rewritten as plain CSS; no framework or build step.<\/p>"},"ratings":[],"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":[],"block_files":[],"assets_screenshots":[],"screenshots":[]},"plugin_section":[],"plugin_tags":[13860,1174,598,232610,600],"plugin_category":[54],"plugin_contributors":[88952],"plugin_business_model":[],"class_list":["post-325456","plugin","type-plugin","status-publish","hentry","plugin_tags-bot-blocking","plugin_tags-firewall","plugin_tags-honeypot","plugin_tags-rate-limiting","plugin_tags-security","plugin_category-security-and-spam-protection","plugin_contributors-susheelhbti","plugin_committers-susheelhbti"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/trapflux-request-firewall.svg","icon_2x":false,"generated":true},"screenshots":[],"raw_content":"<!--section=description-->\n<p>TrapFlux Request Firewall is a lightweight request firewall that blocks vulnerability scanners and bot floods by <strong>how they behave<\/strong>, not just where they come from.<\/p>\n\n<ul>\n<li><strong>Behavior-based blocking<\/strong> \u2014 exploit-path probes (<code>.env<\/code>, <code>wp-config<\/code> backups, <code>.sql<\/code> dumps), malicious user agents, and request floods.<\/li>\n<li><strong>Rate limiting<\/strong> \u2014 every visitor is rate limited; hits on exploit paths count double, so scanners get banned far faster than real visitors ever could.<\/li>\n<li><strong>Honeypot traps<\/strong> \u2014 invisible links only bots follow; one visit means a permanent ban.<\/li>\n<li><strong>Subnet bans<\/strong> \u2014 block a whole CIDR range (e.g. <code>20.100.172.0\/24<\/code>) when attackers rotate IPs on cloud providers.<\/li>\n<li><strong>Text attack reports<\/strong> \u2014 one-click downloadable <code>.txt<\/code> reports (summary + raw log) listing every URL attackers tried to access, ready to hand to your hosting company.<\/li>\n<li><strong>fail2ban-friendly log<\/strong> \u2014 one pipe-delimited line per blocked request, so your host can ban attackers at the network level using the plugin's detections.<\/li>\n<li><strong>Fails open<\/strong> \u2014 any internal error and your site keeps working normally. An emergency <code>disable.flag<\/code> file shuts blocking off instantly via FTP.<\/li>\n<\/ul>\n\n<h4>Strongest mode (optional)<\/h4>\n\n<p>By default the firewall runs when plugins load \u2014 before WP routing, themes and queries. For maximum resource savings you can point PHP's <code>auto_prepend_file<\/code> at <code>firewall.php<\/code> so blocking happens before WordPress loads at all. See the FAQ.<\/p>\n\n<h4>Honest limitations<\/h4>\n\n<ul>\n<li>This is a request firewall, not a malware scanner \u2014 it will not detect an already-infected site.<\/li>\n<li>It ships with rules for today's common probes and has no cloud threat feed; review the rules occasionally.<\/li>\n<li>The \"Block xmlrpc.php\" option breaks Jetpack and the WordPress mobile app \u2014 disable that single toggle if you use them.<\/li>\n<li>All assets (CSS\/JS) are bundled \u2014 the plugin makes no external network requests.<\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>trapflux-request-firewall<\/code> folder to <code>\/wp-content\/plugins\/<\/code>, or install the zip via Plugins \u2192 Add New \u2192 Upload.<\/li>\n<li>Activate <strong>TrapFlux Request Firewall<\/strong>. Your current IP is auto-whitelisted on activation.<\/li>\n<li>Open the <strong>TrapFlux Request Firewall<\/strong> menu in wp-admin for stats, logs, reports and settings.<\/li>\n<\/ol>\n\n<p>Data (config, bans, logs) is stored in <code>wp-content\/uploads\/trapflux-request-firewall\/<\/code>. An <code>.htaccess<\/code> deny rule is written automatically (Apache). On NGINX add:<\/p>\n\n<pre><code>location ^~ \/wp-content\/uploads\/trapflux-request-firewall\/ { deny all; }\n<\/code><\/pre>\n\n<!--section=faq-->\n<dl>\n<dt id=\"how%20do%20i%20enable%20blocking%20before%20wordpress%20loads%3F\"><h3>How do I enable blocking before WordPress loads?<\/h3><\/dt>\n<dd><p>Set PHP's <code>auto_prepend_file<\/code> to the engine, in <code>.user.ini<\/code> (most shared hosting) or <code>php.ini<\/code>:<\/p>\n\n<pre><code>auto_prepend_file = \/full\/path\/to\/wp-content\/plugins\/trapflux-request-firewall\/firewall.php\n<\/code><\/pre>\n\n<p>Or in Apache <code>.htaccess<\/code> (mod_php):<\/p>\n\n<pre><code>php_value auto_prepend_file \"\/full\/path\/to\/wp-content\/plugins\/trapflux-request-firewall\/firewall.php\"\n<\/code><\/pre>\n\n<p>The engine guards against double-loading, so having both is safe.<\/p><\/dd>\n<dt id=\"i%20locked%20myself%20out.%20what%20do%20i%20do%3F\"><h3>I locked myself out. What do I do?<\/h3><\/dt>\n<dd><p>Create an empty file named <code>disable.flag<\/code> inside <code>wp-content\/uploads\/trapflux-request-firewall\/<\/code> via FTP or your host's file manager. All blocking stops instantly. Delete the file to re-enable.<\/p><\/dd>\n<dt id=\"can%20my%20hosting%20company%20use%20the%20log%20with%20fail2ban%3F\"><h3>Can my hosting company use the log with fail2ban?<\/h3><\/dt>\n<dd><p>Yes. Each blocked request is one line in <code>wp-content\/uploads\/trapflux-request-firewall\/blocked.log<\/code>:<\/p>\n\n<pre><code>2026-06-11 14:32:07 | 20.100.172.37 | GET \/xmlrpc.php | UA: ... | BLOCKED: rate-limit\n<\/code><\/pre>\n\n<p>Suggested failregex: <code>^.* \\| &lt;HOST&gt; \\| .* \\| BLOCKED: .*$<\/code><\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.5<\/h4>\n\n<ul>\n<li>Removed the last hardcoded WP_CONTENT_DIR fallback (in plugin activation). Data directory now resolves exclusively via wp_upload_dir(); activation aborts with a clear message if that is unavailable, instead of guessing a path.<\/li>\n<\/ul>\n\n<h4>1.0.4<\/h4>\n\n<ul>\n<li>Used wp_upload_dir() exclusively for data directory resolution; removed WP_CONTENT_DIR hardcode and dirname walk-up fallbacks.<\/li>\n<li>Replaced custom SCRIPT_FILENAME direct-access guard with the standard ABSPATH check (plus TRAPFLUX_PREPEND_MODE constant for auto_prepend_file users).<\/li>\n<li>Plugin activation now stores the resolved upload path in config.json so prepend-mode engine can locate its data without guessing.<\/li>\n<\/ul>\n\n<h4>1.0.3<\/h4>\n\n<ul>\n<li>Renamed to TrapFlux Request Firewall with a distinctive trapflux_ prefix on all options, hooks, AJAX actions and constants.<\/li>\n<li>Moved all data (config, bans, logs) to the uploads directory: wp-content\/uploads\/trapflux-request-firewall\/.<\/li>\n<li>Sanitized all $_SERVER inputs at intake (user agent, IPs, request method, request URI).<\/li>\n<li>Added a direct-access guard to the firewall engine file.<\/li>\n<\/ul>\n\n<h4>1.0.2<\/h4>\n\n<ul>\n<li>Replaced Tailwind with a small handwritten stylesheet (~8 KB, prefixed classes, no build step, no framework).<\/li>\n<\/ul>\n\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>Replaced the Tailwind CSS CDN with a locally compiled stylesheet. The admin dashboard now makes zero external requests.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release: behavior-based blocking, rate limiting, honeypots, subnet bans, text reports, fail2ban-friendly logging, emergency off-switch.<\/li>\n<\/ul>","raw_excerpt":"Lightweight, behavior-based bot firewall. Blocks scanners before WordPress loads, with text attack reports for your hosting company.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/325456","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=325456"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/susheelhbti"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=325456"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=325456"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=325456"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=325456"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=325456"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=325456"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}