Secure Owl Firewall

Secure Owl Firewall is a fast, lightweight firewall plugin with an advanced rule engine featuring PCRE pattern matching, a transformation pipeline, and JSON-based rule configuration.

Key features:

• JSON-based rules — 100+ default rules covering SQLi, XSS, RCE, LFI, SSRF, Log4Shell, and more
• Transformation pipeline — URL decode, lowercase, normalize path, remove whitespace, HTML entity decode, trim
• Inspection targets — REQUEST_URI, QUERY_STRING, USER_AGENT, REFERER, COOKIE, and POST
• MU-Plugin loader — runs before regular plugins for earliest protection
• Rate limiting — optional transient-based IP and subnet banning
• Login protection — PIN field, speed limit and honeypot to block brute-force attacks
• IP whitelist — CIDR/subnet support for both IPv4 and IPv6
• IP blacklist — CIDR/subnet support for both IPv4 and IPv6
• Per-rule toggle — disable individual rules from the admin panel without editing files
• File-based logging — 64MB cap with auto-rotation and protected storage
• Log retention — configurable policy for GDPR compliance
• IP anonymization — masks user IP addresses for enhanced privacy and GDPR compliance

Filter Hooks

• sswaf_ip_whitelist — array of IPs to bypass the firewall
• sswaf_ip_blacklist — array of IPs to block before any rules run
• sswaf_trusted_proxies — array of trusted proxy IPs for X-Forwarded-For
• sswaf_post_scanning — enable POST data inspection (default: true)
• sswaf_rules_file — path to the rules JSON file
• sswaf_log_file — path to the log file
• sswaf_log_max_size — maximum log size in bytes
• sswaf_header_status — HTTP status header for blocked requests
• sswaf_before_block — action hook fired before blocking a request
• sswaf_rate_limit_ip_threshold — override IP hit threshold
• sswaf_rate_limit_ip_duration — override IP ban duration
• sswaf_rate_limit_ip_window — override IP counting window