描述

TrapFlux Request Firewall is a lightweight request firewall that blocks vulnerability scanners and bot floods by how they behave, not just where they come from.

Behavior-based blocking — exploit-path probes (.env, wp-config backups, .sql dumps), malicious user agents, and request floods.
Rate limiting — every visitor is rate limited; hits on exploit paths count double, so scanners get banned far faster than real visitors ever could.
Honeypot traps — invisible links only bots follow; one visit means a permanent ban.
Subnet bans — block a whole CIDR range (e.g. 20.100.172.0/24) when attackers rotate IPs on cloud providers.
Text attack reports — one-click downloadable .txt reports (summary + raw log) listing every URL attackers tried to access, ready to hand to your hosting company.
fail2ban-friendly log — one pipe-delimited line per blocked request, so your host can ban attackers at the network level using the plugin’s detections.
Fails open — any internal error and your site keeps working normally. An emergency disable.flag file shuts blocking off instantly via FTP.

Strongest mode (optional)

By default the firewall runs when plugins load — before WP routing, themes and queries. For maximum resource savings you can point PHP’s auto_prepend_file at firewall.php so blocking happens before WordPress loads at all. See the FAQ.

Honest limitations

This is a request firewall, not a malware scanner — it will not detect an already-infected site.
It ships with rules for today’s common probes and has no cloud threat feed; review the rules occasionally.
The “Block xmlrpc.php” option breaks Jetpack and the WordPress mobile app — disable that single toggle if you use them.
All assets (CSS/JS) are bundled — the plugin makes no external network requests.

安装

Upload the trapflux-request-firewall folder to /wp-content/plugins/, or install the zip via Plugins Add New Upload.
Activate TrapFlux Request Firewall. Your current IP is auto-whitelisted on activation.
Open the TrapFlux Request Firewall menu in wp-admin for stats, logs, reports and settings.

Data (config, bans, logs) is stored in wp-content/uploads/trapflux-request-firewall/. An .htaccess deny rule is written automatically (Apache). On NGINX add:

location ^~ /wp-content/uploads/trapflux-request-firewall/ { deny all; }

常见问题

How do I enable blocking before WordPress loads?

Set PHP’s auto_prepend_file to the engine, in .user.ini (most shared hosting) or php.ini:

auto_prepend_file = /full/path/to/wp-content/plugins/trapflux-request-firewall/firewall.php

Or in Apache .htaccess (mod_php):

php_value auto_prepend_file "/full/path/to/wp-content/plugins/trapflux-request-firewall/firewall.php"

The engine guards against double-loading, so having both is safe.

I locked myself out. What do I do?

Create an empty file named disable.flag inside wp-content/uploads/trapflux-request-firewall/ via FTP or your host’s file manager. All blocking stops instantly. Delete the file to re-enable.

Can my hosting company use the log with fail2ban?

Yes. Each blocked request is one line in wp-content/uploads/trapflux-request-firewall/blocked.log:

2026-06-11 14:32:07 | 20.100.172.37 | GET /xmlrpc.php | UA: ... | BLOCKED: rate-limit

Suggested failregex: ^.* \| <HOST> \| .* \| BLOCKED: .*$

评价

此插件暂无评价。

贡献者及开发者

「TrapFlux Request Firewall」是开源软件。以下人员对此插件做出了贡献。

susheelhbti

帮助将「TrapFlux Request Firewall」翻译成简体中文。

对开发感兴趣吗?

您可以浏览代码，查看SVN仓库，或通过RSS订阅开发日志。

更新日志

1.0.5

Removed the last hardcoded WP_CONTENT_DIR fallback (in plugin activation). Data directory now resolves exclusively via wp_upload_dir(); activation aborts with a clear message if that is unavailable, instead of guessing a path.

1.0.4

Used wp_upload_dir() exclusively for data directory resolution; removed WP_CONTENT_DIR hardcode and dirname walk-up fallbacks.
Replaced custom SCRIPT_FILENAME direct-access guard with the standard ABSPATH check (plus TRAPFLUX_PREPEND_MODE constant for auto_prepend_file users).
Plugin activation now stores the resolved upload path in config.json so prepend-mode engine can locate its data without guessing.

1.0.3

Renamed to TrapFlux Request Firewall with a distinctive trapflux_ prefix on all options, hooks, AJAX actions and constants.
Moved all data (config, bans, logs) to the uploads directory: wp-content/uploads/trapflux-request-firewall/.
Sanitized all $_SERVER inputs at intake (user agent, IPs, request method, request URI).
Added a direct-access guard to the firewall engine file.

1.0.2

Replaced Tailwind with a small handwritten stylesheet (~8 KB, prefixed classes, no build step, no framework).

1.0.1

Replaced the Tailwind CSS CDN with a locally compiled stylesheet. The admin dashboard now makes zero external requests.

1.0.0

Initial release: behavior-based blocking, rate limiting, honeypots, subnet bans, text reports, fail2ban-friendly logging, emergency off-switch.