Home / Documentation / Security / Configure Firewall Rules

Configure Firewall Rules for WordPress

📅 Updated: Nov 12, 2024 ⏱ī¸ 12 min read 👤 Security Team

Learn how to configure multi-layered firewall protection for your WordPress site. This guide covers server-level rules, web server configuration, and application-level WAF setup optimized for Wp Admin managed environments.

Overview

WordPress sites are prime targets for automated attacks, brute-force login attempts, and malicious scanning. Implementing a defense-in-depth firewall strategy significantly reduces your attack surface. Wp Admin recommends a three-tier approach:

1

Network/Server Firewall

OS-level packet filtering (UFW, iptables, cloud firewalls) to control inbound/outbound traffic at port level.

2

Web Server Rules

Nginx or Apache configuration to restrict access to sensitive directories, limit request rates, and block bad actors.

3

Application WAF

WordPress-specific firewall rules to filter SQL injection, XSS, and malformed requests before they reach PHP.

ℹī¸
All firewall configurations should be tested in a staging environment first. Wp Admin's managed plans include automated staging sync before applying production changes.

Prerequisites

  • SSH access to your server or VPS (root or sudo privileges)
  • WordPress 5.8+ with latest PHP version (8.1/8.2)
  • Nginx 1.18+ or Apache 2.4+
  • Backup completed before making changes
⚠ī¸
Incorrect firewall rules can lock you out of your server. Always keep a secondary SSH session open while testing, and schedule changes during low-traffic periods.

Step 1: Server-Level Firewall (UFW)

Ubuntu/Debian systems use UFW by default. Configure it to allow only essential ports while blocking everything else.

Bash
# Reset & set default policies sudo ufw default deny incoming sudo ufw default allow outgoing # Allow SSH (change port if using non-standard) sudo ufw allow 22/tcp comment "SSH access" # Allow HTTP/HTTPS sudo ufw allow 80/tcp comment "HTTP" sudo ufw allow 443/tcp comment "HTTPS" # Optional: Allow MySQL if remote DB needed (usually block) # sudo ufw allow 3306/tcp from 10.0.0.0/8 # Enable firewall sudo ufw enable sudo ufw status verbose

For cloud environments (AWS, GCP, Azure), configure security groups or VPC firewall rules to mirror these policies at the infrastructure level.

Step 2: Web Server Configuration

Nginx Configuration

Add these rules to your server block to harden WordPress access:

Nginx
# Block access to sensitive files location ~* \.(git|svn|env|log|ini|bak|sql|swp)$ { deny all; access_log off; log_not_found off; } # Restrict wp-admin & xmlrpc.php location ~* ^/wp-admin/ { allow 203.0.113.0/24; # Replace with your IP/CIDR deny all; } location = /xmlrpc.php { deny all; } # Limit request rate to prevent brute force limit_req_zone $binary_remote_addr zone=wp_login:10m rate=5r/m; location /wp-login.php { limit_req zone=wp_login burst=3 nodelay; # Include standard WordPress rules... }

Apache (.htaccess)

For Apache servers, place these rules in your root `.htaccess` file:

.htaccess
# Protect wp-config.php Order Allow,Deny Deny from all # Block common exploit attempts RewriteEngine On RewriteCond %{QUERY_STRING} (|%3c).*(script|iframe|alert|confirm|prompt) [NC,OR] RewriteCond %{QUERY_STRING} (|%3e) [NC] RewriteRule ^(.*)$ - [F,L] # Disable directory browsing Options -Indexes

Step 3: Application-Level WAF

WordPress-specific firewalls intercept malicious requests before PHP execution. Wp Admin integrates with ModSecurity and commercial WAF solutions. Below is a baseline ModSecurity rule for WordPress:

ModSecurity
# Block SQL Injection attempts targeting WordPress SecRule ARGS|ARGS_NAMES "(?:union.*select|select.*from|insert.*into|update.*set|delete.*from|drop.*table)" \\ \"id:1001,phase:2,deny,status:403,log,msg:\"WordPress SQL Injection Attempt\"\" # Block wp-login brute force (track & block after 5 failures) SecAction \"id:1002,phase:1,nolog,pass,setvar:ip.wp_login_block=0,setvar:ip.wp_login_counter=0\" SecRule REQUEST_URI \"^/wp-login\.php$\" \\ \"id:1003,phase:1,pass,nolog,setvar:ip.wp_login_counter=+1\" SecRule \"&ip.wp_login_counter@ge 5\" \\ \"id:1004,phase:1,deny,status:429,expirevar:ip.wp_login_counter=300\"
💡
Wp Admin's Professional and Enterprise plans include managed ModSecurity tuning with WordPress-specific rule sets updated weekly.

Step 4: Testing & Verification

After applying rules, verify functionality and security posture:

  1. Access your site from an incognito window to confirm normal operation
  2. Test wp-admin access from allowed IPs (should return 403 from unauthorized IPs)
  3. Run curl -I https://yoursite.com to verify correct headers and status codes
  4. Use online tools like SecurityHeaders.com to validate firewall effectiveness
Bash
# Verify blocked access to sensitive files curl -I https://yoursite.com/wp-config.php # Should return: HTTP/2 403 curl -I https://yoursite.com/.env # Should return: HTTP/2 403 curl -I https://yoursite.com/xmlrpc.php # Should return: HTTP/2 403

Best Practices

  • Never expose default ports to the public internet. Use port forwarding or VPN for SSH access.
  • Rotate firewall rules quarterly to adapt to emerging threats and change attack patterns.
  • Log everything and forward logs to a SIEM or Wp Admin's monitoring dashboard for anomaly detection.
  • Combine with fail2ban to automatically ban IPs triggering repeated 403/404 responses.
  • Keep WordPress core & plugins updated — firewalls reduce risk but don't replace patching.
đŸšĢ
Do not block Cloudflare, Googlebot, or legitimate CDN IPs. Always whitelist known crawler ranges in your firewall configuration to avoid SEO penalties.

Need help implementing these rules?

Wp Admin's security team can audit your current configuration and deploy hardened firewall rules across all your managed sites.

Request Security Audit →