Further articles of the series

Security Plugins for WordPress: #1 Security is important
Security Plugins for WordPress: #2 Wordfence Security
Security Plugins for WordPress: #3 iThemes Security
Security Plugins for WordPress: #4 NinjaFirewall
Security Plugins for WordPress: #5 Sucuri Security
Security Plugins for WordPress: #6 All In One WP Security
Security Plugins for WordPress: #7 VaultPress

Insider tip of the Security Plugins

With the WordPress Plugin Ninja firewall we now come to my absolute favorite of the security plugins. Although NinjaFirewall is still quite unknown in comparison, it is currently developing into a kind of insider tip. The firewall for WordPress is very effective, written with high performance and at the same time impressively efficient. Furthermore, the extension is kept very slim and therefore the NinjaFirewall plugin runs noticeably better than the big competition. Why NinjaFirewall is my favourite security plugin, why it is an insider tip and why you should definitely try this extension, I will explain a little bit more detailed in the following test.

Firewall for WordPress

Compared to all other WordPress security plugins, NinjaFirewall takes itself much more serious. The whole thing is not a scanner or a plugin optimized for beginners, but a real firewall that sits directly in front of WordPress and all accesses have to pass it first. So before the users get to the actual WordPress page, they are first scanned and checked, which of course applies especially to bots and crawlers. Shortly after activation, NinjaFirewall blocks a lot of aggressive accesses, which may not necessarily affect security, but are superfluous and affect the performance of the server. For example, the bots and crawlers that come by every few minutes. In no time the log file of NinjaFirewall is filled with blocked accesses that nobody wants to have on their website and probably nobody needs them. The first step is done.

Security Plugins for WordPress #4 NinjaFirewall Screenshot 1
Beginners probably only understand the options of NinjaFirewall, but they don't need to change anything because the default settings are already very well thought out.

For beginners and professionals

In the further test it turns out that NinjaFirewall is also suitable for beginners, even if it looks completely different at first. The default settings are quite perfect, actually no changes are necessary, unless you know your way around and have some special cases in the code. If you don't know what to do, just activate NinjaFirewall, leave everything as it is and have a look at the log from time to time. This fills up very quickly and besides the blocked bots and crawlers, the first failed attacks also land there quite quickly. Among them attacks on the "admin-ajax.php" or attempted file uploads that NinjaFirewall could block. The individual accesses are all recorded in writing, the entry is sorted into a security level (Low, Medium, High and Cirtical) and also the applied rule of the firewall is output and stored in the log. These rules, which are used depending on access, can also be deleted or edited in the settings, so that individual procedures can still be adjusted. This is partly complicated and requires some background knowledge, but as said before: Beginners basically don't need to change anything. If something goes wrong or is wrongly blocked, a look into the log helps, although it is basically useful to protect potential targets in other ways or even block them completely if the attacks become too strong.

All-round protection for WordPress

The settings of NinjaFirewall provide not only special rules but also everything webmasters could wish for. As said before: If you don't know what to do, leave everything on the default settings to avoid accidentally blocking real users with the firewall. If you know something about it, you can configure and define the behaviour of HTTP GET variables, HTTP POST variables, HTTP REQUEST variables, the HTTP response headers and much more in detail. You can also lock WordPress typical directories, even the XML-RPC API can be deactivated with a click (about this I had also already writtenamong others in Reference to DDoS attacks). The plugin and theme editor is also simply switched off by NinjaFirewall as desired. Why this makes sense? Because normally you don't have to fiddle around with the editor all the time, but potential attackers can gain direct access to it, like WordPress recently did with most serious security vulnerability for 5 years has happened. There was a variable that allowed attackers to make changes to the files via the plugin and theme editor. So NinjaFirewall leaves no possibilities open and is an absolutely successful all-round protection for WordPress. A real and very effective firewall, no 0815 collection of security tweaks.

Security Plugins for WordPress #4 NinjaFirewall Screenshot 2
A small statistic on the dashboard shows what NinjaFirewall has blocked lately. The accesses are immediately sorted into threat levels.

Exemplary implementation and effective

Besides the quite strong and extensive firewall, NinjaFirewall of course also provides some extras. For example, the File Guard checks the execution of files, while the File Check creates an image of all current data to detect possible changes later on. Thus WordPress is virtually bulletproof, also because File Guard is a real-time detection and directly blocks external access. Apart from that, there is the usual brute force protection at login, as well as the possibility that NinjaFirewall will send you an email in case of changes. For example when a plugin is installed or deactivated, when admins log in, or when WordPress does an automatic update. So you'll always be informed and NinjaFirewall logs blocked files in the monthly log file anyway, which is why you can always check again if an access was blocked wrongly. The statistics also give you an overview of what kind of attacks and how many times per month. All of this is implemented in an absolutely exemplary manner and is also extremely effective.

NinjaFirewall WP+ Edition

Of course, such an extensive plugin has not been programmed simply out of good will. The NinjaFirewall is not only available for WordPress, but also as standalone for other applications. In addition, an extended license can be ordered, which can NinjaFirewall WP+ Edition and with about 30 dollars per year and domain is probably one of the cheapest offers on the market. The features of the WP+ edition include the use of the shared memory of the server (which increases the performance), IP's or whole countries can be locked out, there are more settings for bots and rules, a function for antispam within comments is enabled and much more. In addition, HTML pages can be scanned before delivery and there are a few other conveniences. Everything is great, but already in the free version NinjaFirewall does its job really almost perfectly. The WP+ edition just brings a few more additions, at an absolutely fair price, I think. The competition can hardly keep up with that.

Security Plugins for WordPress #4 NinjaFirewall Screenshot 3
The amazingly inexpensive premium version of NinjaFirewall, above all, brings more features that the normal user but not necessarily needed.

Conclusion on NinjaFirewall

Even though we haven't reached the end of the article series yet, NinjaFirewall is already one of the winners for me. The WordPress plugin works extremely stable, is an absolute dream in terms of performance, even brought me noticeable improvements in the test, so it relieved the server, because it simply blocked and locked out attacks and nonsensical accesses. All of this was already almost perfectly implemented in the free version, but with the WP+ Edition it was simply made even more extensive and equipped with more possibilities. But it should be clearly stated that the free version already offers a great added value for virtually everyone, which is why users are happy to pay for the extended version, as they don't have the feeling of being ripped off or baited with a demo. NinjaFirewall is as it is also fantastic and those who appreciate it or need a few more settings will pay the 30 dollars a year. For me the cheapest and still best method to equip WordPress with a real and powerful firewall. My tip: Install the extension, leave it active for one or two weeks, check the log and then decide yourself if you want to continue using NinjaFirewall or uninstall the extension again. In contrast to most other security plugins, NinjaFirewall is not an annoying ballast, but a really useful extension that really provides more security and performance instead of just paralyzing everything and opening further security holes, as it is the case with some other plugins. So if you ask me directly for a security plugin, you will get NinjaFirewall recommended.


NinjaFirewall at WordPress.org
NinjaFirewall Website

About Christian

My name is Christian and I am co-founder of the platform fastWP. Here in the magazine I am responsible for the more "technical" topics but I like to write about SEO, which has been my passion for over 10 years now.

4 thoughts on “Security Plugins für WordPress #4: NinjaFirewall”

    1. Hello Ditmar, in this case I can't give you an answer because I don't know the plugin Block Bad Queries (BBQ).
      In this case, a direct request to the developers of the NinjaFirewall would certainly be the best measure.
      Basically I am of the opinion that the NinjaFirewall is sufficient as a solution regarding the security, means Block Bad Queries (BBQ) does not have to be more in this case. We look after a large number of customers within the scope of maintenance contracts and have not experienced a "hack".
      Exactly 2 things are carried out here by us:
      1. installation of the NinjaFirewall
      2. no "excessive" use of WP plugins. If there are "new plugins / functions" that we want to use due to the project, we usually use premium plugins here.

      I am aware that this does not automatically mean that they are 100% safe, but I follow the opinion that if developers earn "real money" with their plugins, they will react more and more actively to security holes.

  1. Hi Christian!

     ... Basically, NinjaFirewall is sufficient as a solution with regard to security, called Block Bad Queries (BBQ) is no longer necessary. Within the scope of maintenance contracts we support a large number of customers and have never experienced a "crack". In general to plug-in free versions: If developers are paid for their plug-ins, they offer more and are more active on security vulnerabilities.


Leave a Comment

Your email address will not be published. Required fields are marked *