Firewall & Brute-Force Protection

The WPSEC firewall protects your WordPress site from malicious traffic, brute-force attacks, and automated threats in real time.

How the Firewall Works

WPSEC analyzes every incoming request using a multi-signal classification engine. Each request is scored based on 17+ signals including:

IP reputation and history
Request pattern analysis
User agent classification
Geographic origin
Request velocity and frequency
Known attack signatures

Requests exceeding the confidence threshold are automatically blocked. Benign traffic passes through unimpeded.

Brute-Force Protection

WPSEC specifically monitors login endpoints (/wp-login.php, /xmlrpc.php) for brute-force patterns:

Rate limiting — Limits login attempts per IP address and time window.
Progressive lockout — Increases lockout duration for repeat offenders.
Credential stuffing detection — Identifies automated login attempts using leaked credentials.

IP Management

You can manually manage IP addresses in the firewall settings:

Whitelist — Always allow specific IP addresses (e.g., your office IP).
Blacklist — Permanently block known malicious IPs.
View blocked IPs — See which IPs have been automatically blocked and why.

Custom WAF Rules

Advanced users can create custom Web Application Firewall rules to block or allow specific request patterns. Navigate to WPSEC → WAF Rules to create rules based on:

URL path patterns
HTTP methods
Query parameters
User agent strings
Request headers

REST API & Author Enumeration Blocking

WPSEC blocks common reconnaissance techniques:

Author enumeration — Blocks /?author=N scanning that reveals usernames.
REST user endpoint — Protects /wp-json/wp/v2/users from unauthorized access.
WordPress version disclosure — Removes version meta tags from HTML output.

Tip: The firewall works best with default settings. Only add custom rules if you have specific requirements.