Basic WordPress Firewall using Mu-Plugins

Manuel Campos

In this tutorial I will teach you how to protect your WordPress site by implementing a basic Firewall.

This basic Firewall effectively blocks files that could be sources of problems, in case a vulnerability is found in the WordPress installation, in one of its plugins or themes.

The implementation of this Firewall requires access to your WordPress installation via a SFTP client or file explorer.

Now let’s look at everything you need to know to protect your WordPress site without a complex security plugin.

What Sites Should Use This Firewall?

This basic firewall is initially aimed at users who have a website that is not an E-Commerce or a membership site, as those type of sites require a series of exceptions for customers and users.

WordPress sites that function as authority sites or niche sites and that do not require their users to interact with WordPress installation files in any way shape or form can take full advantages of the simplicity of this plugin.

How to Prevent WordPress Sites from Getting Hacked

When setting up WordPress for the first time, it’s easy to overlook potential factors that could make your WordPress site vulnerable to hacking.

Primarily, hackers tend to focus on three key areas:

  1. WordPress Installation via Dashboard
  2. SFTP or SSH Access
  3. Database Vulnerabilities

If you’re using a reputable hosting provider, they likely have measures in place to prevent attempts at points 2 and 3.

For instance, Cloudways takes a robust approach by blocking unauthorized Database, SFTP and SSH access, managing exceptions through IP address exclusions.

In other words, you can rest assured that any potential hacking of your WordPress site won’t come from the database or the access to your installation via SSH/SFTP.

Using this hosting provider exposes your site only to attacks directed at the WordPress dashboard.

In other words, you should try to prevent:

  • Brute Force Attacks
  • SQL Injections
  • XSS Attacks
  • Other vulnerabilities present in Plugins, Themes, and the WordPress core

Therefore, this security solution aims to address these issues.

First and Foremost : CloudFlare Firewall

It’s impossible for me to write about WordPress security without mentioning CloudFlare.

These are three rules you should have in place to protect your WordPress from all kinds of attacks

  1. I recommend writing a rule that whitelist specific folder and files your visitors need and be as specific as possible.
  2. Once you do that, write another rule to block every file and folder from your WordPress installation.
  3. Block common keywords used in XSS attacks and directory transversal attacks and SQL injections.
Cloudflare Firewall Rules

I think you can do a bit more but these three would prevent most attacks and malicious scans

Mu-Plugins for WordPress Security

My security mu-plugins currently consist of four files

Three files with functions and one file with variables and arrays for handling IP address exceptions.

Let’s get started.

A File for Exceptions: IP Addresses

The initial step is to craft a .php file holding an array featuring the list of IP addresses you don’t wish to restrict.

It’s a fairly straightforward file, and you’re free to name it as you like, but I’ll refer to it as “super-settings.”

Within this file, you’ll find an array where you should specify your IP addresses and your server’s IP to prevent any potential issues.

You can add more IP addresses to whitelist other users and locations.

Theme and Plugins Editors, Plugin Installation, and Theme Lock-down

Stop Hackers

Here’s my first mu-plugin to add an extra layer of security to your site by limiting a hacker’s capabilities if they manage to infiltrate your WordPress dashboard.

Picture this: the hacker is inside your WordPress dashboard and realizes that:

  • They can’t tweak files in the existing theme or others.
  • They’re unable to tamper with files belonging to installed plugins.

Now, let’s say the hacker tries to install plugins from the WordPress repository or add a custom plugin to wreak havoc on your site. Surprise! They hit a roadblock:

  • Uploading themes or plugins is not allowed.
  • Deleting existing themes and plugin is not allowed
  • Installing other themes and plugins is also not allowed

At this point, they’ll notice these restrictions are thanks to mu-plugins.

This mu-plugin can only be removed using a file explorer plugin or via SFTP or SSH access ( He can’t do either one of them).

This file will remove the file and theme editors functionality from your site and prevent the update, modification, and installation of plugins and themes.

It will also restrict WordPress updates unless you are connected using the IP addresses specified in super settings.

Now, the hacker’s only option is to inject malicious scripts through posts or in media files.

Mu-Plugin to Stop PHP Execution in WordPress Folders

This is another plugin with functionality that you might find in security plugins.

This mu-plugin essentially automatically adds an .htaccess file in the following folders:

  • Plugin
  • Themes
  • Upload

The content in those .htaccess files is as follows:

Those three lines prevent the execution of PHP in folders, directories that should not contain .php files, or at least not in the root of those folders.

This mu-plugin not only creates those files automatically but will also add them in case they are removed or modified.

If a hacker exploits a vulnerability and uploads a .php file in those directories, that .php file will not be able to be executed.

Super Firewall MU – Plugin: Version #1

This plugin is a firewall for WordPress designed to protect against a variety of threats. It works by checking the requested URI and query string for specific patterns associated with potentially malicious activity.

The plugin includes a list of forbidden patterns for both the request URI and query string, and if a match is found, it triggers a 403 Forbidden response.

The firewall allows for excluding certain IP addresses from these checks.


These are some considerations before implementing this super security plugin:

  • I am not a developer or programmer; I know enough to achieve my goals. Often, I modify existing snippets or take code from existing plugins. I use artificial intelligence assistance to modify code or address some errors I encounter in the plugins I use
  • Mu-plugins may benefit from improvements and may require adjustments with each WordPress update. These plugins do not have irreversible effects.Use the plugins included in this and any other publication with caution and at your own risk.
  • For me, these mu-plugins serve as a fallback; I implement security rules at the CDN level, so this plugin is only in case something goes wrong with Cloudflare. Conduct tests on staging sites, less critical sites, or test sites before using some of the mu-plugins mentioned here.
  • I don’t see these plugins being installed on client sites as they require maintenance and administration.

Manuel Campos, English Professor

Manuel Campos

I am José Manuel. I am writing about things I know and things that I am learning about WordPress. I hope you find the content of this blog useful.






© 2024 WP SURFER • Made with Love in Costa Rica