🛡 Security

Firewall Rules

Comprehensive guide to configuring WordPress firewall rules for maximum protection. Learn how to block malicious traffic, prevent common attacks, and secure your site with Wp Admin's firewall management.

📅 Updated: Dec 2024 ⏱ 12 min read 👤 Security Team

What Are Firewall Rules?

Firewall rules are security directives that control incoming and outgoing network traffic to your WordPress website. They act as a barrier between your site and potential threats, filtering requests based on predefined criteria such as IP addresses, request types, file paths, and behavioral patterns.

A properly configured firewall is your first line of defense against the majority of WordPress security threats, including brute force attacks, SQL injection, cross-site scripting (XSS), and directory traversal attempts.

ℹī¸
Wp Admin handles all firewall configuration for you. If you're a Wp Admin client, these rules are automatically applied and monitored. This documentation is for reference and for self-managed sites.

Types of Firewalls We Use

  • Web Application Firewall (WAF) — Filters HTTP/HTTPS traffic at the application layer
  • .htaccess Rules — Server-level directives for Apache-based hosting
  • Nginx Config Rules — Nginx-specific security configurations
  • IP-Based Rules — Allowlists and blocklists for specific IP addresses/ranges
  • Rate Limiting — Throttles excessive requests to prevent abuse

Essential WordPress Firewall Rules

These are the core firewall rules we recommend for every WordPress site. Each rule addresses a specific vulnerability class.

đŸšĢ

Block wp-config.php Access

Critical

Prevents direct access to wp-config.php, which contains your database credentials and security keys. This file should never be accessible via HTTP.

Target: wp-config.php
Threat: Credential theft
Status: Active
.htaccess 
# Block access to wp-config.php
<Files wp-config.php>
    Order allow,deny
    Deny from all
</Files>

# Alternative using mod_rewrite
RewriteEngine On
RewriteRule ^wp-config\.php$ - [F,L]
nginx 
# Block access to wp-config.php
location ~ /wp-config\.php {
    deny all;
    access_log off;
    log_not_found off;
}
🔒

Restrict wp-admin Access

Critical

Limits access to the WordPress admin area by IP allowlisting or adding an extra authentication layer. This prevents unauthorized login attempts from unknown sources.

Target: /wp-admin/
Threat: Brute force attacks
Status: Active
.htaccess 
# Restrict wp-admin by IP (replace with your IPs)
<IfModule mod_authz_core.c>
    <Directory /var/www/html/wp-admin/>
        Require ip 192.168.1.0/24
        Require ip 203.0.113.0/24
    </Directory>
</IfModule>
🗂

Disable Directory Browsing

High

Prevents visitors from viewing the contents of your directories. This stops attackers from discovering sensitive files, backup files, and plugin structures.

Target: All directories
Threat: Information disclosure
Status: Active
.htaccess 
# Disable directory browsing
Options -Indexes
nginx 
# Disable autoindex (directory listing)
autoindex off;
📝

Block wp-login.php Attacks

Critical

Protects the WordPress login page from brute force attacks by rate-limiting requests and blocking known malicious patterns in the User-Agent string.

Target: /wp-login.php
Threat: Brute force, credential stuffing
Status: Active
.htaccess 
# Block bad bots from wp-login.php
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_USER_AGENT} (bot|crawl|spider|slurp|scan) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (w3af|nikto|nmap|sqlmap) [NC]
    RewriteRule ^wp-login\.php$ - [F,L]
</IfModule>
🛑

Block XML-RPC Abuse

High

Restricts access to xmlrpc.php, which is commonly abused for DDoS amplification attacks, brute force login attempts, and pingback spam.

Target: /xmlrpc.php
Threat: DDoS, brute force, pingback spam
Status: Active
.htaccess 
# Block xmlrpc.php (disable if using Jetpack or mobile apps)
<Files xmlrpc.php>
    Order allow,deny
    Deny from all
</Files>
🔍

Block SQL Injection Attempts

Critical

Detects and blocks common SQL injection patterns in URL parameters, query strings, and POST data before they reach WordPress.

Target: All requests
Threat: SQL injection (SQLi)
Status: Active
.htaccess 
# Block SQL Injection attempts
<IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} (union.*select|union.*all.*select|concat.*\(|char\() [NC,OR]
    RewriteCond %{QUERY_STRING} (select.*from.*where|insert.*into.*values|delete.*from) [NC,OR]
    RewriteCond %{QUERY_STRING} (DROP\s+TABLE|DROP\s+DATABASE|UPDATE.*SET) [NC,OR]
    RewriteCond %{QUERY_STRING} (1=1|OR\s+1=1|AND\s+1=1) [NC]
    RewriteRule .* - [F,L]
</IfModule>
✂ī¸

Block XSS (Cross-Site Scripting)

High

Blocks cross-site scripting attempts by filtering out script injection patterns from URL parameters and request data.

Target: All requests
Threat: Cross-site scripting
Status: Active
.htaccess 
# Block XSS attempts in query strings
<IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} (<\s*script|javascript:|on\w+=|vbscript:) [NC,OR]
    RewriteCond %{QUERY_STRING} (document\.(cookie|write)|window\.location) [NC]
    RewriteRule .* - [F,L]
</IfModule>

Complete .htaccess Security Ruleset

Below is our complete recommended security ruleset for Apache servers. Wp Admin automatically deploys and maintains these rules on your site.

.htaccess — Full Security Ruleset 
# ═══════════════════════════════════════════
# Wp Admin — WordPress Firewall Rules
# Last updated: December 2024
# ═══════════════════════════════════════════

RewriteEngine On

# ── Block wp-config.php ──────────────────
<Files wp-config.php>
    Order allow,deny
    Deny from all
</Files>

# ── Disable directory browsing ───────────
Options -Indexes

# ── Block access to sensitive files ──────
<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|sql|theme|tpl(\.php)?|xtmpl)$|^\..+|/LICENSE|/README$">
    Order allow,deny
    Deny from all
</FilesMatch>

# ── Block xmlrpc.php ─────────────────────
<Files xmlrpc.php>
    Order allow,deny
    Deny from all
</Files>

# ── Block SQL Injection ──────────────────
RewriteCond %{QUERY_STRING} (union.*select|concat.*\(|char\() [NC,OR]
RewriteCond %{QUERY_STRING} (select.*from.*where|1=1|OR\s+1=1) [NC,OR]
RewriteCond %{QUERY_STRING} (DROP\s+TABLE|UPDATE.*SET) [NC]
RewriteRule .* - [F,L]

# ── Block XSS Attempts ───────────────────
RewriteCond %{QUERY_STRING} (<\s*script|javascript:|on\w+=) [NC]
RewriteRule .* - [F,L]

# ── Block file inclusion attacks ─────────
RewriteCond %{QUERY_STRING} (\.(php|pl|py|jsp|asp|txt|html|log|sh|cgi)) [NC,OR]
RewriteCond %{QUERY_STRING} (file://|ftp://|php://) [NC]
RewriteRule .* - [F,L]

# ── Block bad bots ───────────────────────
RewriteCond %{HTTP_USER_AGENT} (w3af|nikto|nmap|sqlmap|nessus) [NC]
RewriteRule .* - [F,L]

# ── Force HTTPS (if SSL enabled) ─────────
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# ── Security Headers ─────────────────────
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "camera=(), microphone=(), geolocation=()"
⚠ī¸
Important: Always backup your .htaccess file before making changes. An incorrect rule can cause a 500 Internal Server Error. If you do, simply remove the last rule you added.

Nginx Firewall Configuration

For sites hosted on Nginx, here's the equivalent security configuration block that should be added to your server block:

nginx.conf 
# ── Block sensitive files ────────────────
location ~ /wp-config\.php {
    deny all;
}

location ~ /xmlrpc\.php {
    deny all;
}

location ~ \.(ht|git|svn|env)$ {
    deny all;
}

# ── Block directory listing ──────────────
autoindex off;

# ── Block SQL injection & XSS ────────────
if ($query_string ~* "(union.*select|