16. Februar 2026
How to Set Up Custom Firewall Rules in WPSEC
WPSEC custom WAF rules let you create targeted protection for specific scenarios beyond the default firewall behavior.
When to Use Custom Rules
Custom rules are useful when you need to:
- Block access to specific URLs or paths
- Allow traffic from specific sources that are being blocked
- Add extra protection for admin or sensitive endpoints
- Block specific user agents or request patterns
Creating a Rule
- Navigate to WPSEC → WAF Rules.
- Click Add New Rule.
- Configure the rule conditions (see below).
- Set the action (Block or Allow).
- Save and activate the rule.
Rule Conditions
Each rule can match on one or more conditions:
- URL Path — Match requests to specific paths (supports wildcards).
- HTTP Method — Match GET, POST, PUT, DELETE, etc.
- IP Range — Match requests from specific IP addresses or CIDR ranges.
- User Agent — Match specific user agent strings.
- Query Parameter — Match specific query string parameters.
Example: Block Access to wp-config Backup
To block access to backup copies of wp-config.php:
- URL Path:
/wp-config* - Action: Block
- Note: This catches
wp-config.php.bak,wp-config.old, etc.
Rule Priority
Rules are evaluated in order. Place more specific rules before general ones. Allow rules are processed before block rules at the same priority level.
Tip: Test custom rules on a staging site first. A misconfigured rule can block legitimate traffic.