TrapFlux Request Firewall
·
Lightweight, behavior-based bot firewall. Blocks scanners before WordPress loads, with text attack reports for your hosting company.
TrapFlux Request Firewall is a lightweight request firewall that blocks vulnerability scanners and bot floods by how they behave, not just where they come from.
- Behavior-based blocking — exploit-path probes (
.env,wp-configbackups,.sqldumps), malicious user agents, and request floods. - Rate limiting — every visitor is rate limited; hits on exploit paths count double, so scanners get banned far faster than real visitors ever could.
- Honeypot traps — invisible links only bots follow; one visit means a permanent ban.
- Subnet bans — block a whole CIDR range (e.g.
20.100.172.0/24) when attackers rotate IPs on cloud providers. - Text attack reports — one-click downloadable
.txtreports (summary + raw log) listing every URL attackers tried to access, ready to hand to your hosting company. - fail2ban-friendly log — one pipe-delimited line per blocked request, so your host can ban attackers at the network level using the plugin’s detections.
- Fails open — any internal error and your site keeps working normally. An emergency
disable.flagfile shuts blocking off instantly via FTP.
Strongest mode (optional)
By default the firewall runs when plugins load — before WP routing, themes and queries. For maximum resource savings you can point PHP’s auto_prepend_file at firewall.php so blocking happens before WordPress loads at all. See the FAQ.
Honest limitations
- This is a request firewall, not a malware scanner — it will not detect an already-infected site.
- It ships with rules for today’s common probes and has no cloud threat feed; review the rules occasionally.
- The “Block xmlrpc.php” option breaks Jetpack and the WordPress mobile app — disable that single toggle if you use them.
- All assets (CSS/JS) are bundled — the plugin makes no external network requests.