How to Set Up a WordPress Firewall: Complete Configuration Guide
Step-by-step guide to configuring a WordPress firewall for maximum protection. Learn the optimal settings for WP Folder Shield's WAF.
Getting Started with WordPress Firewall Protection
A properly configured firewall is your most important defense against WordPress attacks. This guide walks you through setting up WP Folder Shield's Web Application Firewall for optimal protection, from installation to advanced configuration.
Step 1: Installation
Install WP Folder Shield
- Download WP Folder Shield from your customer dashboard
- Go to Plugins > Add New > Upload Plugin
- Select the ZIP file and click Install Now
- Activate the plugin
Enter Your License Key
- Go to Folder Shield > License
- Enter your license key
- Click Activate
The firewall begins protecting your site immediately with sensible defaults.
Step 2: Basic Firewall Configuration
Access Firewall Settings
Go to Folder Shield > Settings > Protection tab
Enable Core Protections
Ensure these are enabled (they should be by default):
- Web Application Firewall - Main protection toggle
- SQL Injection Protection - Blocks database attacks
- XSS Protection - Blocks script injection
- File Inclusion Protection - Blocks LFI/RFI attacks
- Command Injection Protection - Blocks shell commands
Enable Bot Blocking
In the same section:
- Block Vulnerability Scanners - Stops Nikto, SQLMap, WPScan
- Block Aggressive Crawlers - Stops resource-heavy bots
- Block Empty User Agents - Optional, blocks many scripts
Step 3: Directory Protection
This critical feature blocks PHP execution in vulnerable directories.
Enable Directory Protection
Go to Folder Shield > Dashboard and enable protection for:
- wp-content/uploads - Blocks PHP in media folder (CRITICAL)
- wp-content/cache - Protects cache directories
- wp-includes - Blocks direct PHP access
- wp-admin/css, js, images - Protects static folders
Click "Apply All Protections" to create the necessary .htaccess files.
Step 4: IP Management
Whitelist Your IP
To avoid accidentally blocking yourself:
- Go to Folder Shield > Settings > Protection
- Find IP Manager section
- Add your IP address (and your team's) to the whitelist
Configure Auto-Blocking
Set how aggressively the firewall should auto-block attackers:
- Auto-Block Threshold - Number of attacks before permanent block (default: 10)
- Auto-Block Duration - How long to block (default: 24 hours)
Step 5: Enable Threat Intelligence
Threat Intelligence provides crowdsourced protection from 10,000+ sites.
Enable the Feature
- Go to Folder Shield > Threat Intelligence
- Toggle "Enable Threat Intelligence"
- Click "Sync Now" to download latest threat data
Configure Settings
- Auto-Sync - Enable for automatic updates every 6 hours
- Minimum Confidence - IPs below this score aren't blocked (default: 75%)
- Contribute Data - Share attack data to help others (recommended)
Step 6: Review Security Logs
After enabling the firewall, check that it's working:
View Firewall Logs
- Go to Folder Shield > Security Logs
- Filter by "Firewall" type
- Review blocked requests
What to Look For
- Normal: Blocked SQL injection, XSS, bot requests
- Investigate: Your own IP being blocked (whitelist it)
- Investigate: Legitimate plugins being blocked (add exceptions)
Step 7: Fine-Tune Based on Logs
False Positives
If legitimate requests are blocked:
- Check the blocked pattern in logs
- Add specific URL exceptions if needed
- Whitelist trusted IPs
Missing Blocks
If attacks are getting through:
- Ensure all protection types are enabled
- Check that Threat Intelligence is active
- Enable stricter bot blocking
Step 8: Enable Email Alerts
Get notified of important security events:
- Go to Folder Shield > Settings > Advanced
- Enter your email address for alerts
- Enable alerts for:
- Brute force attack warnings
- Malware detection
- Core file changes
- Settings modifications
Advanced Configuration
Custom Firewall Rules
For advanced users, WP Folder Shield allows custom patterns:
- Block specific URL patterns
- Block requests containing specific strings
- Create exceptions for known-good requests
Cloudflare Integration
If using Cloudflare:
- Go to Folder Shield > Settings > Integrations
- Enable Cloudflare integration
- Enter your API token and Zone ID
- Enable IP sync to push blocks to Cloudflare
Recommended Settings Summary
| Setting | Recommended |
|---|---|
| Web Application Firewall | Enabled |
| SQL/XSS/LFI Protection | All Enabled |
| Bot Blocking | Enabled |
| Directory Protection | All directories |
| Threat Intelligence | Enabled with auto-sync |
| Auto-Block Threshold | 10 attacks |
| Auto-Block Duration | 24 hours |
| Email Alerts | Enabled for critical events |
Conclusion
A properly configured WordPress firewall dramatically reduces your risk of compromise. WP Folder Shield's WAF provides comprehensive protection with sensible defaults, but taking time to configure it properly—especially directory protection and threat intelligence—maximizes your security. Monitor your logs regularly and adjust settings as needed for your specific site.
Written by Marcus Johnson
WP Folder Shield Team
