TrapFlux Request Firewall

TrapFlux Request Firewall is a lightweight request firewall that blocks vulnerability scanners and bot floods by how they behave, not just where they come from.

• Behavior-based blocking — exploit-path probes (.env, wp-config backups, .sql dumps), malicious user agents, and request floods.
• Rate limiting — every visitor is rate limited; hits on exploit paths count double, so scanners get banned far faster than real visitors ever could.
• Honeypot traps — invisible links only bots follow; one visit means a permanent ban.
• Subnet bans — block a whole CIDR range (e.g. 20.100.172.0/24) when attackers rotate IPs on cloud providers.
• Text attack reports — one-click downloadable .txt reports (summary + raw log) listing every URL attackers tried to access, ready to hand to your hosting company.
• fail2ban-friendly log — one pipe-delimited line per blocked request, so your host can ban attackers at the network level using the plugin’s detections.
• Fails open — any internal error and your site keeps working normally. An emergency disable.flag file shuts blocking off instantly via FTP.

Strongest mode (optional)

By default the firewall runs when plugins load — before WP routing, themes and queries. For maximum resource savings you can point PHP’s auto_prepend_file at firewall.php so blocking happens before WordPress loads at all. See the FAQ.

Honest limitations

• This is a request firewall, not a malware scanner — it will not detect an already-infected site.
• It ships with rules for today’s common probes and has no cloud threat feed; review the rules occasionally.
• The “Block xmlrpc.php” option breaks Jetpack and the WordPress mobile app — disable that single toggle if you use them.
• All assets (CSS/JS) are bundled — the plugin makes no external network requests.