NinjaFirewall review: A WP firewall plugin

NinjaFirewall is one of the few firewall plugins in the WP repository with good ratings. Its rating on WordPress.org is 5 out of 5, and the number of WordPress websites running it is over 80000. NF has good ratings but is it a good alternative to the leading WP security extensions WordFence or Wordfence alternatives such as iThemes Security and All In WP Security? Is its firewall customizable? Can the plugin improve the security of a WP website?

NinjaFirewall

Here are the new menus you’ll find on the WordPress dashboard sidebar after activating the plugin:

Options

When it is enabled, NinjaFirewal will monitor the IP addresses and will block each IP address it finds suspicious. The firewall is enabled by default. What happens when an IP is blocked? NF will send a page with a custom message instead of the website page/content. Instead of an HTTP 200 status code, this page can have one of these HTTP status codes – 400, 403, 404, 406, 418, 500, and 504. You can change the message if you want. The plugin lets users use custom HTML in the message. There’s an option to export/import settings.

Policies

The Firewall options page of the plugin lacks important settings. The policy page has 30+ options. The policies are grouped into these categories – basic, advanced, and intermediate. Let’s have a look at the various settings in each “policy” tab. From the “basic” tab, you can enable the firewall for HTTPS or HTTP traffic of your website and allow/disallow uploading of files. You can enable filename sanitization from the Policy page as well. What do you mean by this? NF will strip HTML and JS code from the filename when the sanitization option is active.

NF blocks access to the following directories on a WordPress website:

  • CSS, images, includes, js.
  • PHP, uploads, blog.dir, and cache.

If you want to modify the above rules, you must activate the Full WAF from NF’s dashboard page.

Statistics

The statistics section boasts the threat level on a graph. The extension groups the threat level into these categories – critical, high, and medium. It also monitors the requests and shows the slowest and fastest requests below the graph.

Policies

The policy page lets users block users from modifying the critical WordPress settings and creating new accounts on a website. It can also protect the wp-admin ajax file from malicious bots and discard requests of bots to access the WordPress REST API. NF can block pingbacks and all requests to access the APIs.

WordPress, by default, lets users edit the theme’s and extension’s code from the WordPress dashboard. To ensure that the files are safe and have only the code written by the theme/plugin developer, you can turn off the theme/plugin editor from the NF Policies page. Updates can break a website. You can turn off WordPress updates from the Policy page of NF.

The Intermedia policy tab lets users enable/disable the sanitization and scanning of cookies and HTTP GET, REQUEST, HTTP_USER_AGENT, HTTP_REFERRER and POST variables. This extension can analyze the HTTP GET/POST request and block the localhost IP in these two requests. It can scan traffic to a website from localhost and block HTTP requests containing an IP address in the HTTP_HOST header. You can turn on/off these three functions from its Intermediate Policy tab.

The Advanced Policies Tab of NF has many website security-related options. It lets users enable/disable HTTP headers that will improve your website’s security. It boasts the following HTTP headers and a dropdown box to set the value for the header:

  • X-Content-Type-Options, X-Frame-Options, X-XSS-Protection.
  • SameSite, HttpOnly, Strict-Transport-Policy, Content-Security-Policy.
  • Referrer-Policy.

This tab also lets users activate the blocking of built-in PHP wrappers in cookies and various headers.

Monitoring

NinjaFirewall’s monitoring section lets users create a snapshot of files stored in a specific directory of a website. If you don’t want to include a particular subfolder of a directory in the snapshot, you can enter its path in the Monitoring section. NF ships with a tool called FileGuard. What is File Guard? If you enable this module, the plugin will monitor the following files of the WordPress website builder and send a notification email when someone modifies the files:

  • index.php, wp-login.php, admin-ajax.php.
  • wp-load.php, and other files required for the proper functioning of the WP CMS.

You can enable the FileGuard module from the Monitoring section of NF.

Login protection

NinjaFirewall allows users to enable Bruteforce protection for their website using these two methods – captcha, username + password from this section. It can monitor the login.php file continuously and block IP addresses only when the website is under a brute-force attack. You can enable the Bot and XMLRPC protection from its login protection section.

Log

To see the plugin’s activity in real-time, you can open its log page. This page boasts a dropdown box to choose a date and a large text box where the log content is displayed.

Rules

NF comes with many security rules like some WordPress extensions. By default, it is pre-configured to detect new rules and update the rules database automatically. You can turn off the auto-updates feature or disable specific rules from this section of NinjaFirewall.

Anti-malware

The malware scanner feature was available in the older version of NF. The latest version of this extension shows an ad that prompts you to download the NinjaScanner antivirus plugin in the Anti-Malware section.

Pros

The firewall of this extension is customizable i.e. you can enable the functions you want to use and turn off the functions you don’t want to use.

Cons

Scanner: Wordfence has a malware/file scanner tool built-in. Its scanner can find and show the list of malware-infected files. NF doesn’t ship with a file scanner tool.

Closing words: NinjaFirwall is a good WordPress firewall plugin. It would have been much better if the malware-scanner feature was available in it.

pramod
Pramod

Pramod is the founder of wptls. He has been using WordPress for more than nine years. He builds web applications, and writes about his experiences with various WP products on this site.

Leave a Reply

Your email address will not be published. Required fields are marked *