Title: TrapFlux Request Firewall
Author: susheelhbti
Published: <strong>2026 年 6 月 18 日</strong>
Last modified: 2026 年 6 月 18 日

---

搜索插件

![](https://s.w.org/plugins/geopattern-icon/trapflux-request-firewall.svg)

# TrapFlux Request Firewall

 作者：[susheelhbti](https://profiles.wordpress.org/susheelhbti/)

[下载](https://downloads.wordpress.org/plugin/trapflux-request-firewall.zip)

 * [详情](https://cn.wordpress.org/plugins/trapflux-request-firewall/#description)
 * [评价](https://cn.wordpress.org/plugins/trapflux-request-firewall/#reviews)
 *  [安装](https://cn.wordpress.org/plugins/trapflux-request-firewall/#installation)
 * [开发进展](https://cn.wordpress.org/plugins/trapflux-request-firewall/#developers)

 [支持](https://wordpress.org/support/plugin/trapflux-request-firewall/)

## 描述

TrapFlux Request Firewall is a lightweight request firewall that blocks vulnerability
scanners and bot floods by **how they behave**, not just where they come from.

 * **Behavior-based blocking** — exploit-path probes (`.env`, `wp-config` backups,`.
   sql` dumps), malicious user agents, and request floods.
 * **Rate limiting** — every visitor is rate limited; hits on exploit paths count
   double, so scanners get banned far faster than real visitors ever could.
 * **Honeypot traps** — invisible links only bots follow; one visit means a permanent
   ban.
 * **Subnet bans** — block a whole CIDR range (e.g. `20.100.172.0/24`) when attackers
   rotate IPs on cloud providers.
 * **Text attack reports** — one-click downloadable `.txt` reports (summary + raw
   log) listing every URL attackers tried to access, ready to hand to your hosting
   company.
 * **fail2ban-friendly log** — one pipe-delimited line per blocked request, so your
   host can ban attackers at the network level using the plugin’s detections.
 * **Fails open** — any internal error and your site keeps working normally. An 
   emergency `disable.flag` file shuts blocking off instantly via FTP.

#### Strongest mode (optional)

By default the firewall runs when plugins load — before WP routing, themes and queries.
For maximum resource savings you can point PHP’s `auto_prepend_file` at `firewall.
php` so blocking happens before WordPress loads at all. See the FAQ.

#### Honest limitations

 * This is a request firewall, not a malware scanner — it will not detect an already-
   infected site.
 * It ships with rules for today’s common probes and has no cloud threat feed; review
   the rules occasionally.
 * The “Block xmlrpc.php” option breaks Jetpack and the WordPress mobile app — disable
   that single toggle if you use them.
 * All assets (CSS/JS) are bundled — the plugin makes no external network requests.

## 安装

 1. Upload the `trapflux-request-firewall` folder to `/wp-content/plugins/`, or install
    the zip via Plugins  Add New  Upload.
 2. Activate **TrapFlux Request Firewall**. Your current IP is auto-whitelisted on 
    activation.
 3. Open the **TrapFlux Request Firewall** menu in wp-admin for stats, logs, reports
    and settings.

Data (config, bans, logs) is stored in `wp-content/uploads/trapflux-request-firewall/`.
An `.htaccess` deny rule is written automatically (Apache). On NGINX add:

    ```
    location ^~ /wp-content/uploads/trapflux-request-firewall/ { deny all; }
    ```

## 常见问题

### How do I enable blocking before WordPress loads?

Set PHP’s `auto_prepend_file` to the engine, in `.user.ini` (most shared hosting)
or `php.ini`:

    ```
    auto_prepend_file = /full/path/to/wp-content/plugins/trapflux-request-firewall/firewall.php
    ```

Or in Apache `.htaccess` (mod_php):

    ```
    php_value auto_prepend_file "/full/path/to/wp-content/plugins/trapflux-request-firewall/firewall.php"
    ```

The engine guards against double-loading, so having both is safe.

### I locked myself out. What do I do?

Create an empty file named `disable.flag` inside `wp-content/uploads/trapflux-request-
firewall/` via FTP or your host’s file manager. All blocking stops instantly. Delete
the file to re-enable.

### Can my hosting company use the log with fail2ban?

Yes. Each blocked request is one line in `wp-content/uploads/trapflux-request-firewall/
blocked.log`:

    ```
    2026-06-11 14:32:07 | 20.100.172.37 | GET /xmlrpc.php | UA: ... | BLOCKED: rate-limit
    ```

Suggested failregex: `^.* \| <HOST> \| .* \| BLOCKED: .*$`

## 评价

此插件暂无评价。

## 贡献者及开发者

「TrapFlux Request Firewall」是开源软件。 以下人员对此插件做出了贡献。

贡献者

 *   [ susheelhbti ](https://profiles.wordpress.org/susheelhbti/)

[帮助将「TrapFlux Request Firewall」翻译成简体中文。](https://translate.wordpress.org/projects/wp-plugins/trapflux-request-firewall)

### 对开发感兴趣吗?

您可以[浏览代码](https://plugins.trac.wordpress.org/browser/trapflux-request-firewall/)，
查看[SVN仓库](https://plugins.svn.wordpress.org/trapflux-request-firewall/)，或通过
[RSS](https://plugins.trac.wordpress.org/log/trapflux-request-firewall/?limit=100&mode=stop_on_copy&format=rss)
订阅[开发日志](https://plugins.trac.wordpress.org/log/trapflux-request-firewall/)。

## 更新日志

#### 1.0.5

 * Removed the last hardcoded WP_CONTENT_DIR fallback (in plugin activation). Data
   directory now resolves exclusively via wp_upload_dir(); activation aborts with
   a clear message if that is unavailable, instead of guessing a path.

#### 1.0.4

 * Used wp_upload_dir() exclusively for data directory resolution; removed WP_CONTENT_DIR
   hardcode and dirname walk-up fallbacks.
 * Replaced custom SCRIPT_FILENAME direct-access guard with the standard ABSPATH
   check (plus TRAPFLUX_PREPEND_MODE constant for auto_prepend_file users).
 * Plugin activation now stores the resolved upload path in config.json so prepend-
   mode engine can locate its data without guessing.

#### 1.0.3

 * Renamed to TrapFlux Request Firewall with a distinctive trapflux_ prefix on all
   options, hooks, AJAX actions and constants.
 * Moved all data (config, bans, logs) to the uploads directory: wp-content/uploads/
   trapflux-request-firewall/.
 * Sanitized all $_SERVER inputs at intake (user agent, IPs, request method, request
   URI).
 * Added a direct-access guard to the firewall engine file.

#### 1.0.2

 * Replaced Tailwind with a small handwritten stylesheet (~8 KB, prefixed classes,
   no build step, no framework).

#### 1.0.1

 * Replaced the Tailwind CSS CDN with a locally compiled stylesheet. The admin dashboard
   now makes zero external requests.

#### 1.0.0

 * Initial release: behavior-based blocking, rate limiting, honeypots, subnet bans,
   text reports, fail2ban-friendly logging, emergency off-switch.

## 额外信息

 *  版本 **1.0.5**
 *  最后更新：**2 天前**
 *  活跃安装数量 **不到10**
 *  WordPress 版本 ** 5.8 或更高版本 **
 *  已测试的最高版本为 **7.0**
 *  PHP 版本 ** 7.2 或更高版本 **
 *  语言
 * [English (US)](https://wordpress.org/plugins/trapflux-request-firewall/)
 * 标签
 * [bot blocking](https://cn.wordpress.org/plugins/tags/bot-blocking/)[firewall](https://cn.wordpress.org/plugins/tags/firewall/)
   [honeypot](https://cn.wordpress.org/plugins/tags/honeypot/)[rate limiting](https://cn.wordpress.org/plugins/tags/rate-limiting/)
   [security](https://cn.wordpress.org/plugins/tags/security/)
 *  [高级视图](https://cn.wordpress.org/plugins/trapflux-request-firewall/advanced/)

## 评级

尚未提交反馈。

[Your review](https://wordpress.org/support/plugin/trapflux-request-firewall/reviews/#new-post)

[查看全部评论](https://wordpress.org/support/plugin/trapflux-request-firewall/reviews/)

## 贡献者

 *   [ susheelhbti ](https://profiles.wordpress.org/susheelhbti/)

## 支持

有话要说吗？是否需要帮助？

 [查看支持论坛](https://wordpress.org/support/plugin/trapflux-request-firewall/)